New Cryptographic Protocols With Side-Channel Attack Security MA SSACHUSETS WNST1FTECHNOLOGY by Rachel A. Miller JUL 0 1 2012 B.A. in Computer Science and Physics, University of Virginia, 2009 M.A. in Mathematics, University of Virginia, 2009 LIBRARIES ARCHIVES Submitted to the Department of Electrical Engineering and Computer Science in Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Science at the Massachusetts Institute of Technology June 2012 @Rachel A. Miller. All rights reserved. The author hereby grants to MIT permission to reproduce and to distribute publicly paper and electronic copies of this thesis document in whole or in part in any medium now known or hereafte reated. 2 Signature of author: Depar(ment of Electrical Engineering and Compuer cience May 23, 2012 I ;~ / - Certified by: Shafrira Goldwasser, RSA I rofessor of Electrical Engineering and Computer Science Thesis Supervisor Accepted by: ofessor of Electrical Engineering Leslie A. Kol2odziejsu Chair of the Committee on Graduate Students TE New Cryptographic Protocols With Side-Channel Attack Security by Rachel A. Miller Submitted to the Department of Electrical Engineering and Computer Science on May 23, 2012 in Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Science ABSTRACT Cryptographic protocols implemented in real world devices are subject to tampering attacks, where adversaries can modify hardware or memory. This thesis studies the security of many different primitives in the Related-Key Attack (RKA) model, where the adversary can modify a secret key. We show how to leverage the RKA security of blockciphers to provide RKA security for a suite of high-level primitives. This motivates a more general theoretical question, namely, when is it possible to transfer RKA security from a primitive P1 to a primitive P2? We provide both positive and negative answers. What emerges is a broad and high level picture of the way achievability of RKA security varies across primitives, showing, in particular, that some primitives resist "more" RKAs than others. A technical challenge was to achieve RKA security without assuming the class of allowed tampering functions is "claw-free"; this mathematical assumption fails to describe how tampering occurs in practice, but was made for all prior constructions in the RKA model. To solve this challenge, we present a new construction of psuedorandom generators that are not only RKA secure but satisfy a new notion of identity-collision-resistance. Thesis Supervisor: Shafrira Goldwasser Title: RSA Professor of Electrical Engineering and Computer Science Abstract We show how to leverage the RKA (Related-Key Attack) security of blockciphers to provide RKA security for a suite of high-level primitives. This motivates a more general theoretical question, namely, when is it possible to transfer RKA security from a primitive P1 to a primitive P2? We provide both positive and negative answers. What emerges is a broad and high level picture of the way achievability of RKA security varies across primitives, showing, in particular, that some primitives resist "more" RKAs than others. A technical challenge was to achieve RKA security even for the practical classes of related-key deriving (RKD) functions underlying fault injection attacks that fail to satisfy the "claw-freeness" assumption made in previous works. We surmount this barrier for the first time based on the construction of PRGs that are not only RKA secure but satisfy a new notion of identity-collision-resistance. Contents 1 2 3 Introduction 1.1 Contributions . . . . . . . . . . . Motivation - Tampering is Real! 2.1 Hardware Errors ........... 2.2 Transient Faults ........... 2.3 Overwrite attacks . . . . . . . . 2.4 Memory Remanence Attacks . 2.5 Protocol Failures . . . . . . . . 2.6 Self-destructing Memory . . . . . . . . . . . . . . . 4 6 8 8 8 9 . . . . . . 10 . . . . . . 10 11 . . . . Models of Tampering, 3.1 The History of the RKA Model 3.1.1 Claw-free assumption . 3.2 Protection versus Detection: The History of the Self-destruct Model 3.3 The History of Tampering Intermediate Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 13 15 17 18 4 Notation & Preliminaries 4.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Cryptographic Primitives & Security Games . . . . . . . . . . . 19 19 20 5 RKA-Model: Formal Treatment 22 6 <b-RKA secure PRFs 6.1 Pseudorandom Functions . . . . . . . . . . . . . . . . . . . . . 6.2 <b-RKA PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 . . . . . . . . . . 27 . . . . . . . . . . 28 7 Identity-Key Fingerprints and Identity Collision Resistance 7.1 Identity-Key Fingerprint . . . . . . . . . . . . . . . . . . . . . . 7.2 <b-RKA Secure Pseudorandom Generators . . . . . . . . . . . . 7.3 Identity Collision Resistance . . . . . . . . . . . . . . . . . . . . 30 31 34 37 8 Definitions of <b-RKA Secure Primitives 42 9 Constructions of <b-RKA Secure Primitives 9.1 Using <b-RKA PRG to Construct <b-RKA Signatures . . . . . . 9.2 Strong <b-RKA Security . . . . . . . . . . . . . . . . . . . . . . 9.3 <b-RKA Secure Signatures from <b-RKA Secure IBE Schemes . 9.4 <b-RKA Secure PKE-CCA from <b-RKA Secure IBE . . . . . . 50 50 58 64 66 10 Separations between RKA Sets 10.1 Separating 4-RKA PRFs from <b-RKA signatures . . . . . . 10.2 Other Relations Using Cnst . . . . . . . . . . . . . . . . . . . 10.3 Separating <b-RKA secure PRFs from <b-RKA secure wPRFs 10.4 Separating <b-RKA CPA SE from <b-RKA CCA SE . . . . . . 2 . . . . 70 70 72 73 75 Acknowledgments This thesis is based on joint work with Professor Mihir Bellare and David Cash. I'd like to express gratitude for the time that we explored ideas together; you were wonderful to work with! A very special thank you to my Advisor, Professor Shafi Goldwasser, for such caring mentorship - it has been such a pleasure to work and to learn under you for my time at MIT. Finally, I'd like to thank my family and my friends for their awesome, incredible support. 3 1 Introduction Historical notions of cryptographic security have assumed that adversaries have only black box access to cryptographic primitives; in these security games, adversaries can observe input and output behavior of the protocol, but gain no information from the physical implementation. However, this model fails to account for the fact that adversaries do gain additional information from physical implementations: such implementations leak data, such as the time or power it takes to compute with a secret key, and are also susceptible to physical tampering attacks, such as modification of the secret key with microprobes. Attacks that take advantage of this non-black-box nature of protocols are collectively known as side channel attacks. Side channel attacks actually exist in practice many practical side channel attacks have been well documented for almost two decades. To model the adversarial powers that allow side channel attacks, theoretical cryptographers have developed the enhanced security models of leakage and tampering. Leakage accounts for information passive adversaries may gain about the contents of secret memory in addition to the input/output behavior of the system. Tampering accounts for adversarial modification of an executing protocol, including changes to the bits in secret memory, the introduction of errors to the computation, and even physical changes to the circuit executing the protocol. Theoretical works have studied leakage extensively over the last several years, especially in the context of signatures and encryption. In contrast, very few theoretical results address tampering attacks- efficient cryptographic primitives with robust security against tampering are still lacking. Though several constructions of higher level primitives exist, these constructions only protect against highly algebraic and scheme specific tampering attacks [GOR11, AHI11, Luc04, BC10, GL1O], or else require heavy and inefficient machinery, such as NIZK proofs[KKS11]. The most commonly used theoretical framework in tampering is the Related-Key Attack (RKA) model, which allows adversarial modification of the secret key. In a related key attack, the adversary is allowed to modify the secret key and subsequently observe values from the cryptographic primitive (such as signatures or ciphertexts) computed with the modified secret key. Formally, for a primitive with secret key K, this occurs by allowing the adversary to select a function 4 4, and giving the adversary values computed with #(K) instead of with K. The RKA security definition is parameterized by a class of allowed tampering functions <b; we restrict how the adversary is allowed to modify the secret key by requiring that the adversary's selected tampering function # # satisfies E <b. We say a scheme is <b-RKA secure if security is maintained even when the adversary may perform related key attacks for 4 E (b. A second commonly used framework is the Self-Destruct model, which is a relaxation of the RKA model allowing the primitive to destroy secret memory if tampering is detected. The psuedo-random function (PRF) is the most studied primitive in the RKA model. A PRF is a family of functions, where individual functions are defined by evaluating the function using a fixed (secret) key. In the security game, an adversary is either given oracle access to a truly random function, or oracle access to the function defined by the PRF evaluated with a randomly generated secret key. A family of functions is a secure PRF if all polynomial time adversaries can only distinguish between the two cases with a negligible advantage over guessing. This thesis will give a formal definition of a <b-RKA secure PRF, but it will be helpful to give an intuitive definition here. When we consider PRFs in the RKA model, the adversary is given the power to modify the secret key, and so should receive oracle access to the PRF evaluated with many different key values, defining a group of functions instead of a single function. Accordingly, in the modified security game for a <b-RKA PRF, the adversary tries to distinguish between oracle access to the family of functions <h-RKA PRF and a family of truly random functions, both evaluated at a randomly generated secret key; in both cases, if the original secret key is K, the adversary obtains access to the oracle evaluated with #(K) in the family of functions for # E 4. We say a PRF is <b-RKA secure if all polynomial time adversaries have a negligible advantage in distinguishing between these two cases. It turns out that a <b-RKA PRF is an especially powerful building block for constructing other tamper-resilient primitives. This thesis will give a construction for any <b-RKA secure cryptographic primitive, using any <b-RKA PRF and a normal secure instance of the primitive as components. Interestingly, it appears the security requirements for <b-RKA secure PRFs seem to be especially difficult to satisfy - there exist classes of tampering functions <b for which <b-RKA secure signature 5 and encryption schemes exist, but for which no PRF can be <b-RKA secure. The construction of tamper-resilient primitives from <b-RKA secure PRFs, and the apparent difficulty of constructing <b-RKA secure PRFs, lead to further questions about the relationships between <b-RKA secure primitives. For example, when can one 4-RKA secure primitive be used to build a different <b-RKA secure primitive in a construction preserving <? Are there <b for which <bRKA secure instantiations of some primitives are known, but for which <b-RKA security is provably impossible for another primitive? 1.1 Contributions Prior works in the RKA model have all made the claw-free assumption[AHI11, GOR1 1]. A class of functions <b is claw-free if for any two distinct in the domain of <b, #1 (K) #1, #2 BC10, GL10, E <b, and for any K 4 #2 (K). In the context of the RKA model, the claw-free assumption is that the class of allowed tampering functions <b an adversary may use, which has domain of the secret key space, is claw-free. Unfortunately, the claw-free assumption fails to capture the tampering attacks that exist in practice. This work drops the claw-free assumption in the RKA model for the first time. This thesis gives a generic way to translate the standard, non-tampering security definition for a cryptographic primitive into a 4-RKA security definition in the RKA model. With this, we give generic construction of <b-RKA secure primitives from any normal secure instance of the primitive and any <b-RKA secure PRF - in other words, we construct primitives that are resistant to the same class of tampering functions <b as the PRF used. This construction maintains the efficiency of the original <b-RKA PRF. Further, this construction uses the <b-RKA PRF in a black-box way, so any future <b-RKA PRFs will immediately give a suite of <b-RKA primitives using this construction. We note that a similar construction was given in concurrent work[GOR11], but our construction in addition is able to drop the claw-free assumption. Motivated by this construction of <b-RKA secure primitives from <b-RKA secure PRFs, we further explore when it is possible to construct <b-RKA secure primitives from other <b-RKA secure primitives. When is it possible to give a reduction from one primitive to another in a way that 6 PRF wPRF IBE Sig PRF wPRF IBE Sig SE - CCA SE - CPA PKE - CCA = C = C C C C C C 9 c C C = = SE-CCA SE - CPA PKE - CCA _ g _ _ _ = _ _ _ = Table 1: A summary of relationships we will show; gives whether the row is contained or not contained in the column. preserves the class of allowed tampering functions <b? We give positive results across a wide variety of primitives: PRFs, wPRFs, IBE, Signatures, SE-CCA, SE-CPA, and PKE-CCA. For example, we show that <D-RKA secure IBE implies <b-RKA secure IND-CCA PKE. We also give some negative results, showing, for example, that there exists a <D for which <D-RKA secure signatures exist but no <b-RKA secure PRFs exist. Inspired by this fact , we give additional negative results: for example, there exists a <} such that a <b-RKA secure wPRF exists but for which no <D-RKA secure PRF exists. We view the relationships between different <b-RKA secure primitives as analogous to complexity theory - the relations between these primitives should help us better understand the complexity of each particular problem. We will express these relationships in a set based notation. We define RKA[P] to be the set of all <Dfor which <b-RKA secure versions of primitive P exist. In this framework, a construction of a <}-RKA secure primitive P2 from any <b-RKA secure primitive P1 will be expressed as RKA[Pi] 9 RKA[P 2]; these relationships will be shown in Section 9. Showing that there ]ib such that <DE Pi but <DV P 2 will be expressed RKA[P1 ] V RKA[P 21; these relationships will be shown in Section 10. In a few cases we will need to make additional assumptions, which we will note in the theorem. Additionally, this thesis contains an extensive literature search of physical tampering attacks, in addition to referencing prior theoretical works. This study can guide which tampering attacks should be modeled by and addressed in theory. 7 2 Motivation - Tampering is Real! Tampering is a major security concern when adversaries have physical access to the device running the cryptographic primitive, which is often the case for devices like smart-cards, pay-TV decoders, and GSM mobile phones. Successful attacks have taken a variety of forms, including chip re-writing, differential analysis, and observing memory remanence after the device is turned off[AK96] [AK97]. Each of these attacks will be further described below. 2.1 Hardware Errors Even in standard conditions, circuits are not perfect, and computations may contain errors. Though errors are typically rare, faulty hardware can make them much more likely. For example, a bug in the family of Pentium FDIV processors produced errors in floating point division[SB94]. Though errors for these faulty chips were rare for randomly generated floating .point operations, affecting about 1 in 9 billion operations, they could be quite common for adversarially selected input. 2.2 Transient Faults Transient faults are errors in computation caused by very temporary changes to conditions in the circuit executing the protocol or to the environment of the circuit. The most common attacks apply quick changes to circuitry's clock signal, power supply, or external electrical field[KK99]. Applying voltages or temperatures outside the normal range of the circuit can affect some write operations. One family of chips was susceptible to an attack that modifies the applied voltage during repeated write access to a security bit- this will often clear the bit without erasing the rest of secret memory[AK96]. Additionally, varying voltage can hamper some processes from running properly: another family of chips contained random number generator used for cryptographic processes, but the generator output a string of all 1's when a low voltage was applied, yielding very guessable secret keys[AK96]. For some processors, transient changes to the applied voltage or to the clock signal can vary the decoding and execution of individual instructions. Since different signal paths of information on a 8 chip pass through different numbers of gates, they each take (slightly) different amounts of time. For the whole computation to be correctly executed, every path must finish before the next clock signal. If an adversary can cause a small number of paths to fail to execute correctly, the protocol will yield values strongly related to the correct values but with some errors. By applying a precisely timed glitch to the clock signal, a limited number of signal paths can be affected. Similarly, changes to the applied voltage changes the amount of time each signal path takes to complete. Increasing time signals take can prevent some signal paths from completing. This has the potential to cause the CPU to execute a number of wrong instructions, or allow differential analysis[AK96]. Conditional jumps are commonly among the longest signal paths; if transient errors allow attackers to eliminate conditional jumps or test instructions[KK99], such errors can often allow them to bypass security conditions. Instruction glitches can also extend the runtime of loops; for example, an attacker might be able to extend a loop designed to print out an output buffer to print out additional values in secret memory[AK96]. Breaking out of a loop early can also be harmful, transforming a many round cipher into an easily breakable single round variant[AK97]. Varying the external electrical field can be accomplished by applying spikes of up to several hundred volts very locally on a chip by using two metal needles. Such a technique to be used to temporarily shift the voltages of nearby transistors, creating variations in signal paths based on locality instead of timing[KK99]. 2.3 Overwrite attacks Laser cutter microscopes can be used to overwrite single bits of ROM[AK97]. In the case of that the circuitry for a protocol is well known, such as for DES, attackers could find and overwrite specific bits to make key extraction easy, such as the bits the control the number of rounds for the cipher[AK97]. As another example, the lock bit of several devices with on-chip EPROM can be erased by focusing UV light on the security lock cell, which is located sufficiently far from the rest of memory. [AK96] Microprobing needles can be used to set or reset a target bit stored in EEPROM. This can be useful for a number of attacks. Consider the following attack on DES: DES keys are required 9 to have odd parity, and DES returns an error message if this fails to hold. To attack DES, an adversary can find the key by setting one bit at a time to 0, and seeing if the error message is triggered [AK97]. Circuits are often constructed with built in "test" functionalities, such as printing out the contents of memory, that are destroyed after testing is completed. Bovenlander[Bov] describes an attack on smartcards using two microprobe needles to bridge the blown fuse for test functionalities, re-enabling a test routine that prints out secret memory. Finally, lasers can also be used to destroy specific gates in a circuit, fixing their output to 0. This can be used to simplify the relationship between the secret key and the output, perhaps making the secret key easier to find[AK97]. 2.4 Memory Remanence Attacks Gutman[Gut96] describes the issue of "burn-in" in both static RAM (SRAM) and dynamic RAM (DRAM). When values are stored in the same RAM location for a significant period of time, physical changes to magnetic memory occur and leave a lasting change. To avoid these effects, sensitive information should not be stored in a single RAM location for more than several minutes. In addition to the physical changes to memory that occur over the period of minutes, even the temporarily stored capacitance of information stored only momentarily in DRAM leaves a remanence. This remanence lasts for at least several seconds after power is removed, even at room temperature and even if removed from the motherboard. This gives adversaries with physical access to the device a (brief) chance to gain information about any key stored in DRAM[CPGR05, HSH+08]. SRAM also leaves significant traces for several seconds at room temperature[Sko02]. Theoretical works show that even a small amount of memory remanence is a problem; for example, an RSA key can be recovered from only 0.27 of its bits selected randomly[HS09). 2.5 Protocol Failures Poorly designed protocols and hardware make attacks even simpler for an adversary to execute. For example, as documented in [AN95], one poorly designed satellite TV decoder had a processor 10 to store the secret key and to decrypt encoded video signals, and additionally a microcontroller to handle commands addressed to a customer smartcard ID. Unfortunately, these pieces were very modular and replacable. In the "Kentucky Fried Chip" attack, the microcontroller is replaced with one created to block deactivation messages with the customer's ID the satellite company sends out when a user stops paying for service. 2.6 Self-destructing Memory There are several examples of circuits that self-destruct and destroy their memory when physical tampering of hardware is detected[Sko02, Gut96, SPW99]. However, this feature is rarely used in practice, and fails to detect some types of tampering. Self-destructing memory is accomplished by using volatile memory inside a tamper-detecting enclosure. When tampering is detected, the volatile memory is powered down or even shorted to ground. It is important to note that this method only prevents attacks that the tamper-detecting enclosure can detect. Even more crucially, since memory takes some amount of time to decay after power is removed, this method requires that an adversary cannot read memory for some noticeable amount of time after tampering is first detected. Tamper detection sensors often are sensitive to changes in voltage or other environmental conditions [AK96], since these can cause transient faults. However, self-destruct mechanisms can decrease the reliability of hardware. One family of smartcards was designed to self-destruct when they detected low clock frequencies, but had relatively common false positives due to the large fluctuations in clock frequency on card startup[AK96]. Additionally, since many transient conditions exist naturally in circuits, for robustness sensors must be designed in such a way that they are not sensitive to transient changes in voltage[AK96], limiting the applicability of this model. Several examples of self-destructing software exist. The most popular is the current iPhone operating system, which can be set to clear memory after 10 failed passcode attempts. Unfortunately, a software based self-destruct model does not provide security guarantees in the case of physical tampering, which is the motivation for tampering security. 11 3 Models of Tampering The most general tampering models must account for all possible adversarial modifications to a protocol being executed. This includes modification of the secret key, modification of intermediate computed values (possibly as fine grained as changes to specific wires), and even modification of the program code being executed. Indeed, all such tampering attacks have occurred in practice! The vast majority of works on tampering only deal with the tampering of secret keys. These works divide nicely into two different theoretical frameworks. The first framework , the RelatedKey Attack (RKA) model, was inspired by [Bih93], and gives the adversary the ability to modify the secret-key using some family of allowable tampering functions. The second framework, the Self-Destruct model, is a relaxation of the RKA model that allows secret memory to be destroyed tampering is detected to prevent further leakage of information. This thesis will work in the RKA model, which only allows tampering on the secret key value. In this model, adversaries may replace the original secret key with a modified one between consecutive evaluations of the protocol. This is formalized by letting the adversary select a function, and replacing the secret key with this function evaluated on the secret key. Although some works in the Self-Destruct model allow the adversary to apply arbitrary polynomial time tampering functions, such strong results are actually impossible in the RKA model[KKS11]. Accordingly, works in the RKA model must further restrict which tampering functions are allowed to an adversary. Fortunately, such restrictions seem justified by the limited state of existing physical attacks, which modify a small number of bits in memory, or introduce randomized errors. On the other hand, it's important not to restrict the allowed attacks too far. The Self-Destruct model is similar to the RKA model in that it allows adversaries to select and apply tampering functions to the secret key, but it relaxes the correctness requirements of the protocol. Here, the protocol to "self-destruct" and completely overwrite secret memory if tampering is detected. A second differentiation between the models is the subtle issue of how many devices with identical memory are available to the adversary. Though not necessarily inherent in the Self-Destruct model, all works to date in this model allow adversaries a logarithmic number 12 of bits of information about the secret key per device, and so require that the adversary only has access to a constant number of copies of devices with the same secret key. To contrast, the RKA model implicitly allows the adversary access to an unbounded number of copies, since the tampering function < is applied to the secret key in every iteration. Since the Self-Destruct model gives relaxed conditions for correctness of protocols, and all works to date limit the number of copies of the device given to adversaries, the Self-Destruct model allows security against a strictly larger class of tampering functions than the RKA model[KKS11]. We note that modeling tampering of intermediate values is very difficult, since this depends on a specific instantiation of a protocol- only one theoretical work [IPSW06] allows arbitrary adversarial tampering of intermediate values in the circuit used to execute the computation. More common are works addressing random faults in computation, a body of work initiated by [BDLO1] and referred to as differential fault analysis. No theoretical works to date consider modification of the program being executed. 3.1 The History of the RKA Model Differential cryptanalysis was a technique developed by Biham and Shamir[BS90] that attacks block ciphers by observing encryptions of pairs of messages with known differences in their plaintexts; the differences between the resulting ciphertexts can give significant information about the secret key for many block ciphers. Differential cryptanalysis soon gave rise to the Related Key Attack (RKA) model, also defined in the context of block ciphers[Bih93]: instead of known relationships between plaintexts as in differential cryptanalysis, the RKA model uses known relationships between successive secret keys used. The key-scheduling algorithms used in block ciphers are generally public and well known, giving adversaries information about the relationship between successive keys. In some cases the adversary can even cause the system to move forward or backwards in the keyschedule, giving control over the key being used. Security against RKAs is now accepted as a requirement for blockciphers to be used in practice. In fact, AES was designed with the explicit goal of resisting RKAs [DR02]. After block ciphers, RKAs were next considered in the context of PRFs and psuedorandom 13 permutations, PRPs. Bellare and Kohno[BK03] provided formal theoretical definitions for both <bRKA secure PRFs and D-RKA secure PRPs. They gave important impossibility results: there exist polynomial time tampering functions for which no block-cipher can be secure. They also showed that secure block ciphers are secure against some very limited tampering attacks. Lucks[Luc04] constructed a block cipher secure against some more interesting RKAs, but used a non-standard number theoretic assumption, and also restricted the adversary to tampering a fixed half of the secret key. The later is an especially strong assumption since one can trivially construct a block cipher resilient against such tampering from any normal secure block cipher. To do this, have the new block cipher generate a secret key that is twice the length of the original block cipher, and only use the half that the adversary can't tamper. Bellare and Cash[BC10] gave the first construction of a -- RKA secure PRF under standard assumptions, using the Decisional Diffie-Hellman (DDH) assumption. In their construction, the adversary may modify the secret key by either adding a fixed element in the group of secret keys, or else multiplying by a fixed element in the group of secret keys. Goldenberg and Liskov[GL10] defined and considered <}-RKA secure hardcore bits and one-way functions; for these primitives, the tampering function is applied to the secret input of the function instead of a secret key, and the security challenge still depends on the original un-altered input to the function. They also consider <D-RKA psuedorandom generators, and show that <k-RKA secure psuedorandom bits can be used to build <D-RKA secure block ciphers. They additionally show that hard-core bits with typical proofs are not <D-RKA secure pseudorandom bits, emphasizing the difficulty of constructing tamper-resilient psuedorandom primitives. Applebaum, Harnik and Ishai[AHI11] gave a formal study of <b-RKA secure symmetric encryption, and gave two constructions of a <b-RKA secure encryption scheme where <b is comprised of functions adding constants over the group of secret keys. They use standard assumptions, giving one construction based DDH, and the other based on lattice assumptions such as learning parity with noise (LPN) or learning with errors (LWE). They also give a construction for a <D-RKA secure PRG under DDH, with the same <Das their encryption scheme construction. They show that a <>RKA secure PRG can be used to generate a <D-RKA secure encryption scheme when <D is claw-free. 14 Finally, they show that <b-RKA secure PRGs can be used for several other applications, such as correlation-robust hash functions as defined in [IKNP03]. A work by Goyal, O'Neill and Rao [GOR11], developed concurrently to work in this thesis, defines correlated-input (CI) hash functions, which are a generalization of the correlation-robust hash functions of [IKNP03]. As with RKA-security, the security of CI hash functions is parameterized by a class of allowed tampering functions <b. They show that CI hash functions, with security parameterized by <b, can be used <b-RKA secure signature schemes. (They also indicate their approach can also be used to build other <b-RKA secure primitives from CI hash functions as well.) Their construction is similar to one included in this thesis, but their very definition of CI hash functions immediately requires that <b is claw-free, while this thesis is able to drop the claw-free assumption. For a CI hash function H and unique tampering functions #1,...,#n+1 require that no adversary can predict H(#i+1 (r)) from H (#1(r)), ... , H (#"(r)). If #n,+ E <b, they 1(r) = #i(r) for some previous i, this is trivial! Further, the adversary of the CI hash function must select all tampering functions #i before even seeing the public hash-key, giving a non-adaptive form of security. [GOR11] gives a construction of a CI hash function where 4 is the class of polynomials over the input space, based on a variant of the q-Diffie Hellman Inversion assumption. Although the class of all polynomials is a very broad class, requiring the adversary to select the tampering functions non-adaptively gives that #i(r) = j (r) only with negligible probability, which is used crucially in their security proofs. 3.1.1 Claw-free assumption As mentioned previously, the claw-free assumption for works in the RKA model requires that any two distinct tampering functions for all K c IC, i(K) # #2 (K). #1, #2 E (b must disagree for every secret key in the key space - Unfortunately, this assumption fails to hold for any tampering attacks used in practice and discussed in Section 2, including random bit errors, setting a subset of bits of the secret key to a fixed value, and memory remanence attacks. Additionally, the claw-free assumption is quite restrictive: it even disallows classes of tampering functions that intuitively give very little power to an adversary. For example, it disallows tampering functions that only modify 15 the secret key on a negligible number of secret key values. Prior Works. Prior to this work, all constructions of <b-RKA secure primitives relied on the claw-free assumption. This includes the PRF construction of [BK03] which holds for classes of claw-free permutations, the block cipher construction of [Luc04] which holds for classes of claw-free functions over the half of the secret key the adversary can tamper, the PRF construction of [BC1O] which holds for the claw-free classes of addition or multiplication within the group of secret keys, the symmetric encryption schemes of [AH1l1] which holds for the claw-free family of addition over the key space, and finally for the CI hash constructions of [GOR11] in which the very definition of security requirements implies that the family of allowed tampering functions must be claw-free. Why is the Claw-Free Assumption so Useful? To reflect how tampering works in practice, in the security game for a <b-RKA secure primitive the adversary should be able to choose not to modify the secret key. To model this, we let #ID be the identity function that maps any key back to itself, and we let ID = {#1D}. In effect, ID-RKA security does not allow the adversary to modify the secret key, and so ID-RKA security should reduce to the standard (no tampering) security definition for any primitive. In general, we will assume that ID C <b, and so a <b-RKA secure primitive should always have standard security for the primitive. The claw-free assumption, combined with the assumption that ID C <b, implies that no other tampering function ever map a secret key onto itself - otherwise #(K) = #ID (K) #E ( can = K. The absence of the claw-free assumption creates serious technical difficulties in the security proof for a <b-RKA secure primitive. Generally, the proof proceeds via a reduction of the <b-RKA primitive to normal (not RKA) security of the primitive; this occurs by giving the adversary values from the normal primitive when the secret key is unmodified. However, the reduction only sees the output of the primitive, and not the hidden secret key, so it is difficult for the reduction to tell when the secret key is unmodified. The claw-free assumption avoids this difficulty since the secret key is only unmodified when the tampering function chosen is 16 #ID. 3.2 Protection versus Detection: The History of the Self-destruct Model It is impossible for many primitives to be secure in the RKA model against arbitrary polynomial time tampering functions. Consider the following example from [KKS11]. Let D contain functions that set a specific bit of the secret key to 0; then D-RKA secure signature schemes cannot exist. The adversary can simply proceed bit by bit, setting the bit to 0 and seeing if the scheme will still produce a valid signature under the original verification key; if it does, that bit of the signing key is a 0, and otherwise, it is a 1. Since there is no way to protect against this D in this model, and this 1 is a very small subset of all polynomial time functions, it is clear that 1-RKA secure signatures do not exist when the adversary is allowed to apply arbitrary polynomial time tampering functions to the secret key. Since many general security guarantees are not possible in the RKA model, many works add additional assumptions. A common additional assumption is self-destruction functionality, were the primitive can completely destroy secret memory if tampering is detected. The first theoretical work to assume a self-destruct mechanism was the work of Ishai, Prabhakaran, Sahai, and Wagner[IPSW06]. This work gives a compiler from a general circuit to a circuit that allows setting any wire in the circuit to either 0 or to 1 as the computation progress. However, this result requires a blow-up of a factor of t in the size of the compiled circuit to allow the adversary to tamper t wires in between successive runs of the protocol. Another work that gives a general compiler for tampering resilient circuits is recent work by Kalai, Lewko and Waters : they give a general compiler for circuits to allow up -th of the gates on any path to have short-circuit errors, a limited form of tampering that adversarially replaces the output of a gate by either one of its inputs. Work by Genero et. al[GLM+04] gives a compiler to allow tampering by arbitrary efficient tampering functions by storing a signature of the secret state along with the secret state. In addition to assuming self-destruct functionality, this requires the very strong assumption of having a secret signing key to be hard-wired into the circuit, and so avoids tampering on this. This work is extended in [LL10] to model both tampering and leakage of specific memory locations and wire values; they give both impossibility results and a modification of [IPSW06] to give a positive result. 17 However, the [LL10] model assumes a secret key space that is polynomial, not exponential, in the security parameter, giving adversaries a non-negligible advantage even without tampering; they also assume arbitrary polynomial time tampering functions, giving the tampering function the ability to depend on all potential secret keys, and so the ability to depend on the correct secret key. Work by Dziembowski, Krzysztof and Wichs[DPW10] define the security notion of non-malleable codes (NMC). When an adversary is allowed to modify secret memory that has been encoded with a NMC, the NMC security guarantees that the resulting output of the protocol is unmodified, or else is completely unrelated to the original value of secret memory. By adding components to encode and decode into the NMC, [DPW10] gives a way to compile a circuit into one that gives non-malleable security. In particular, they give a construction of a NMC that protects against tampering that modifies each bit of secret memory independently, and they show that NMCs exist for a much broader classes of tampering functions. The final and most recent work using the self-destruct assumption is that of Tauman-Kalai, Kanukurthi, and Sahai[KKS11], which gives the first signature and encryption schemes that are secure against both leakage and tampering. Though the tampering functions can be chosen arbitrarily, the adversary is only allowed a bounded number of tampering queries per time period. Their work additionally relies on the assumption of a non-tamperable common reference string (CRS) that is available to all parties, and uses non-interactive zero knowledge (NIZK) proofs. 3.3 The History of Tampering Intermediate Values Boneh, DeMillo and Lipton[BDL01] first explored the dangers of errors in computation- even a very small number of bit flips in intermediate values in a protocol can give a full break of an otherwise secure scheme. Specifically, they showed that both a common implementation of the Fiat-Shamir identification protocol and a Chinese-Remainder-Theorem based implementation of RSA signatures are insecure when an adversary can induce a small number of random bit-flips in intermediate values. This paper inspired a body of work called differential fault analysis (DFA), which focuses on exploits of blockciphers caused by small bitwise errors; see [BS97] for a long list of ciphers broken by DFA. 18 Protecting protocols against arbitrary intermediate values is very difficult, as this depends on the specific instantiation of a protocol, and requires analysis of tampering of each intermediate value in the computation. The only works to date that allows non-random errors in intermediate values are the works by Ishai, Prabhakaran, Sahai, and Wagner [IPSW06] and by Kalai, Lewko and Waters mentioned above in the History of the Self-Destruct model 3.2. 4 4.1 Notation & Preliminaries Notation For a set S, let |SI denote the size of S, and let s <_- S denote the operation of picking a random element of S and calling it s. For sets X and Y, let Fun(X, Y) be the set of all functions mapping X into Y. When Z is also a set, let FF(X, Y, Z) = Fun(X x Y, Z). A class of functions D will be associated with some domain X and range Y, and will be a subset of all functions mapping X to Y- 4 C Fun(X, Y). A class of functions VK 4 associated with domain K will be said to be claw-free if V# 1, #2 C 4 with #1 : 42, E EC, 0i(K) $ 42 (K). In the context of work on tampering, the claw-free assumption requires that the family of allowed tampering functions <1is claw-free. A function family is a tuple of algorithms: a parameter generator, a key generator, and a deterministic evaluator, JF = (P, KC,F). For each k E N, the function family also defines sets Dom(-) and Rng(-) such that fF(K, -) maps elements of Dom(k) to Rng(k). We will assume that each function family has associated polynomials d for the input length with Dom(k) C {0, 1}d(k), and output length 1 with Rng(k) C {0, 1}(k). For a bit b, we use b to denote the opposite of b, i.e. 0 = 1 and i = 0. A (binary) string x is identified with a vector over {0, 1} so that IxI is its length and x[i] is its i-th bit. For i < j, x[i, j] denotes the inclusive range from i-th bit through the j-th bit of x. When v is a vector, |vl gives the number of coordinates of v, and v[i] is used to denote its i-th coordinate- v = (v[1], . .. , v[lvl]). Algorithms. Unless otherwise noted, algorithms are randomized and are polynomial time in the 19 size of their inputs. For algorithms A and B, we let A 1|B denotes the algorithm that on any input x returns A(x) | B(x). We use notation for a fixed sequence of probabilistic functions, where each function is evaluated with fresh randomness, and the final object is returned: {x - A, y - B(x); C(x, y)} represents events A, B and C being executed in order, with the returned value equal to the returned value of C. 4.2 Cryptographic Primitives & Security Games A cryptographic primitive P is a tuple of algorithms, which include a key generation algorithm IC that on input a security parameter k outputs a secret key sk and optionally also a public key pk, and a number of algorithms that may take the secret key as one of their inputs. We represent a cryptographic primitive as P = (IC,g1(-), .. .,gm(-), fi(sk,),. . .f,f(sk, -)), where each algorithm fi depends on the secret key sk, and each algorithm gi does not. Without loss of generality, all algorithms run in time polynomial in k. Security Games. Every cryptographic primitive P also has an associated security definition, which in our work will be given as a security game with a security parameter k. A security game defines an interaction between two algorithms: a stateful challenger algorithm, and a stateful adversary algorithm, both of which are required to run in time polynomial in k. The security game can be played with a class of potential adversary algorithms that conform to required interactions of the game. A security game is comprised of phases, which are distinct periods of interaction between the adversary and the challenger. Each phase might optionally include the challenger correctly executing required computation, messages between the challenger and the adversary, and adversary access the output of some of the algorithms fi in P that depend on the secret key. When the adversary is allowed to view output of algorithms fi that depend on the secret key, this is modeled as the adversary gaining access to an oracle that computes fi , denoted as Ofi. An oracle call to Ofi () returns fi(sk, .). We number the phases, and for each phase 20 j we define the set of allowed oracle access Sj as containing i if the adversary has oracle access to Ofi during phase j. As part of the security definition, some input combinations may be disallowed by the oracle, where the set of disallowed input may be based on values chosen during the interactive security game. (For example, the security game for an IND-CCA2 encryption scheme disallows the adversary from requesting a decryption of its challenge ciphertext.) Additionally, the disallowed inputs might differ even for oracle access to the same fi during different phases. The notion of disal- lowed requests is formalized by a function disallowi,g(-) to disallow queries to Ofi during phase disallow, (x1, ... game in phase , -) j; returns true if i 0 Sj or xi, ... , Xo should be disallowed based on the security j, and false otherwise. In phase j, the oracle for fi sends the adversary either _L if disallowij(x1,... Xk, ) is true, or sends fi(sk, x, ... ,Xk) otherwise. Each security game is associated with a boolean function function that has value 1 when the primitive is considered broken, and has a required bound on the probability of the break for the primitive to be considered secure. Here, the probability of a break is measured over the choice of randomness for both the challenger and for the adversary. The function break might depend on the message transcript between the challenger and the adversary or on the state of the challenger and the adversary. The scheme might be considered broken when the adversary can distinguish between two possible behaviors of the challenger by guessing a secret bit selected by the game, or when the adversary generates a value that satisfies a certain relationship with the secret or public keys of the scheme. In the last case, even if the submitted values satisfy the stated relationship, some values might not be considered a valid break based on prior values that have occurred in the security game. (For example, in the game defining security for a signature scheme, even a valid message signature pair is not a break if the adversary made a prior oracle query on that message.) We use GA to denote that a security game G should be executed with adversary A that is within the class of allowed adversaries for G. Some of our games will return a value; we will use (GA _* 1) to denote the event that G played with A returns a value of 1. 21 5 RKA-Model: Formal Treatment So far our description of adversarially selected tampering functions has been loose, but we will now formalize structural requirements on them. For example, such functions must map secret keys back into the secret key space. We will call functions that meet these structural requirements a Related-Key Deriving function. Definition 5.1 (Related-Key Deriving Functions - from [BK03]) Consider a cryptographic primitive P with security parameter k. Let K be the space of secret keys for P, which is the range of secret keys created by key generation run on input Ik. We say a function 4 is a Related-Key Deriving (RKD) function is compatible with P if it satisfies 4 : K -+ K. We define RKD = Fun(K, K), the set of all RKD functions for a key-space. A class of RKD functions, typically denoted by D, is a set ( C RKD. A class P is said to be compatible with a C primitive P if all $ G are compatible with P. Example Classes of RKD Functions. The RKA model is parameterized by classes of allowed RKD functions. One class that will be used repeatedly in our proofs is the class ID, which contains only the identity function. Another class that we will reference several times is the class of all constant functions, which will be denoted by Cnst. Definition 5.2 (ID, the class of the identity function) Let 41D(X) = x, ID = {qID} is the class containing the singleton #1D. Definition 5.3 (Cnst, the class of all constant functions) For any c E K, given by $c(x) = 4c: K -+ K is c for all x E K, returning c for all input. Then Cnst is defined as the set containing pc for all c G K. Oracle Access with Tampering. As we move to the 4-RKA model, we will also want to give adversaries oracle access to values computed with tampered keys. We will use Ole* to denote oracle access to fi with allowed tampering in <b. An adversary with such access can call Ofi*(#, .); 22 if the query is disallowed or if ## D the oracle will return _L, and otherwise the oracle will return fi (#(s k), -). RKA Model. We will now formally define the Related Key Attack (RKA) model for an adversary of a cryptographic primitive, where the allowed tampering is parameterized by a class of Related Key Deriving (RKD) functions 4. Recall that a cryptographic primitive P is a tuple of algorithms, some which take a secret key sk as input. In the standard security game for the primitive, an adversary receives oracle access (for a specified period of time) to some of the algorithms that are evaluated using sk. As examples: in the game defining signature schemes, the adversary receives oracle access to the signing algorithm S, receiving S(sk, m) on query OS(m); in the game defining IND-CCA2 security for a symmetric key encryption scheme, the adversary receives access to both an encryption oracle 0 8 (m) and to a decryption oracle OD(c), receiving 5(sk, m) and D(sk, c) in response, except for the disallowed decryption query of the challenge ciphertext. We define a 1-RKA adversary against P to have all the abilities of a standard adversary against P, and in addition receives oracle access to the same algorithms as the standard adversary, except evaluated using #(sk) for # E 4> instead of sk. Returning to our examples: in the modified game for signature schemes, the adversary will now receive oracle access to 0 S,, and on query 0S' (#, m) an adversary receives a signature generated with tampered sk, S(#(sk), m) in response; for the game defining IND-CCA2 security for a symmetric encryption scheme, the adversary now receives access to encryption oracle OE4 (#, m) and decryption oracle OE) (#, c), receiving encryptions under the tampered key E(#(sk), m) and decryptions under the tampered key D(#(sk), c) in response. Moving to the RKA model causes some delicate issues to arise in when a primitive is considered broken by a I-RKA adversary. As an example, lets consider a -RKA secure signature scheme, comprised of algorithms (KC,S, V) for key generation, signing, and verification respectively. In the standard security definition for a signature scheme, a signing key and verification key are produced as (sk, vk) <$- k. An adversary adaptively asks the signing oracle for signatures for messages mi as OS(mi) and receives S(sk, mi) in return; the scheme is considered broken if the adversary can produce a message m* and signature o-* such that V(vk, m*, o-*) returns true and such that the 23 adversary never queried for a signature of m*. What should be considered a break for a <b-RKA adversary against a signature scheme? Such an adversary will adaptively make queries for signatures of mi with tampering function a signing oracle that will create signatures with tampered keys, denoted by QS0A S(#i(sk), mj) in return; in some cases #i(sk) = sk, and in other cases #i(sk) (#i, #i E (b to mi), receiving will be a different related key. When the adversary produces m* and o*, it is clear this should not be accepted as a forgery if the adversary received a signature of m* under the original secret key- in other words, m* and o-* should not count as a forgery if there is an i such that mi = m* and #i(sk) = sk. However, a more difficult, and subtle question: should a forgery m* and o* be considered a break if the adversary received a signature of m* under some different, related secret key? Considering this a valid break for the <D-RKA adversary makes minimal assumptions about what should be disallowed, and it turns out that such a notion is also achievable. Definition 5.4 (<b-RKA Security) Recall that a cryptographic primitive P is a tuple of algorithms, P = (gi(), gm(-), fi(sk, -),. . . ,fn (sk, .)), where each fi depends on the secret key sk, and each gi does not. Say a standard (non-tampering) security game for P defines set S to be the set of i such that the adversary receives oracle access to Ofi during phase j, possibly with inputs disallowed with disaIowi,3 (.). To use oracle access to fi in phase j, the adversary queries Ofi(x 1 , .. . , xk), to which the oracle replies with either I if disallow,(x1,.... ,xk,-) is true, or fi(sk,x1,...,xk) otherwise. To move to the <>-RKA model, the 4-RKA adversary participates in the same security game as in the standard model the with some modifications. In phase j, if i G Sj so that the adversary received oracle access to fi, the <b-RKA adversary should now receive oracle access to of 0fi. When the <b-RKA adversary makes call Ofi"'(#,x1,... computes the tampered key sk' = #(sk). , xk) .. f, instead to the oracle, the oracle first If sk' = sk and disallowij(x1,... returns -L; otherwise the oracles returns fi(sk',xi,. 0 ,xk,-) is true, the oracle ,xk). The definition of a break of the security of the scheme is unmodified, and should explicitly state all uses of the secret key of the scheme. Additionally, the definition of what it means for P to be secure remains unchanged. The standardsecurity definition defines P to be secure if certain bounds 24 apply to the probability of a break for all polynomial time adversaries; we say that P is secure if the same bounds apply to all polynomial time (b-RKA (b-RKA adversaries. As part of this thesis, we will give concrete definitions for <b-RKA security as it applies to a number of different primitives, including PRFs, wPRFs, IBE, Signatures, SE-CCA, SE-CPA, and PKE-CCA. Remarks about <D-RKA Security. " We note that this model gives the <D-RKA adversary access to many copies of primitive with the original secret key; for each iteration, the adversary is given access to the primitive evaluated on the original secret key, even though the tampering function # applied in previous iterations might not have been invertible. * Note that while some queries of a <-RKA adversary to an oracle Ofi,* might be disallowed via disallowo, no such restriction is applied unless #(sk) = sk;this appears to be a minimal assumption. " If the standard security definition for a primitive creates a challenge for the adversary, this challenge should be created with the original secret key sk <b-RKA adversary, and not some tampered sk. Otherwise this definition would immediately disallow <b that contain # with low entropy output. " We would like for security in the RKA model to always imply security in a standard security model. To do this, we will assume that ID, the class that only contains the identity function, is always in the class of allowed tampering functions. ID models the adversary's ability to choose not to tamper the secret key of a system, and so ID-RKA security always reduces to the normal security for the primitive. The definition of a break of security for a <b-RKA secure P is the same as for a normal secure instance of P. This is particularly interesting when the definition of a valid break depends on prior queries of the adversary. In the case of a <D-RKA signature scheme, a break is defined when the 25 adversary produces a valid message, signature pair such that it never received a signature of the message generated with the original signing key; a forgery on a message is still considered valid even if the adversary received signatures on that message generated with modified signing keys! This is identical to the definition of a forgery in the normal secure case, where a forgery is valid if the adversary never received a signature on the message generated with the original signing key. Signature schemes are of particular interest in considering the definition of a break of security in the RKA-model since the breaking condition depends on prior queries of the adversary. Prior work defining <b-RKA security for signature schemes [GOR11] has instead defined a break as a valid message signature pair such that the adversary never queried for a signature on that message using the identity function, #1D, as the tampering function. This disallows a subset of the forgeries we disallow, since a query with RKD #ID will always generate the signature under the original unmodified secret key; however, this definition immediately requires that the adversary cannot find a such ' # #ID that #(sk) = sk, or the adversary will have an easy forgery. Thus the definition of [GOR11] disallows <>-RKA secure signature schemes when <D fails to be claw-free, while such constructions are possible and meaningful in our definition. RKA sets. This thesis will address the relative strength of <b-RKA security for many different cryptographic primitives. In order to achieve this, we will need a notion of what <D-RKA security is attainable for each primitive. Definition 5.5 (RKA [P] - the set of <h for which <b-RKA secure P exist) A class of RKD functions <> is said to be achievable for the primitive P if there exists a <b-RKA secure instantiation of P. We further define RKA[P] to be the set of all <k that are achievable for primitive P. Using this set based notation will allow us to easily make comparative statements about <k-RKA secure primitives. We will give a number of containment results of the form RKA[Pi] c RKA[P 2] by providing a construction of a <b-RKA secure P 2 from any <D-RKA secure P 1 . We will also provide negative results of the form RKA[Pi] 5 RKA[P 2] by showing there exists a <Dfor which <D c RKA[P1 ] but <b g RKA[Pi]. Both containment and non-containment relationships give implications about the achievability of <h-RKA security for a given primitive. 26 We note that since RKA[P] is comprised of <} such that a 4-RKA secure P exists, RKA[P] might change depending on what assumptions we are willing to make, such as whether one-way functions exist. In general when considering RKA[P], we will in general make the assumption that a normal (non-tampering) secure instance of P exists, but will need to make no additional assumptions for the relationships between primitives that we provide. <D-RKA secure PRFs 6 The first theoretical works addressing RKA security dealt PRFs[BK03, Luc04], and as we will later discover, <b-RKA PRFs will a strong starting point for building other primitives. We give a full definition of <h-RKA secure PRFs here since it is used widely in our constructions, and to illustrate some of the points in definition 5.4 of <k-RKA security. 6.1 Pseudorandom Functions Since the definition for a <b-RKA PRF builds on the standard definition for a PRF[GGM86], we will first give the standard definition here. Definition 6.1 (Pseudorandom Function - PRF) The following security game is defined for a function family FF = (K, F) with algorithms for key generation and evaluation, respectively. For a security parameterk, we assume that an instance of FF with key K 4- k(ik) has an efficiently computable domain and range given by Dom(.) and Rng(.). 1. Setup Phase. The challenger generates a key for the PRF as K - J(lk), and selects a random bit b - {o,1}. 2. Query Phase. The adversary is allowed to adaptively query for points x G Dom(k) to an oracle as 0'0(K,x). If b = 0 and the adversary has never queried x, the challenger randomly selects a point y - Rng(k) to return to the adversary, and saves it as T[x] = y; if x has been queried previously, i.e. T[x] is defined, the challenger returns the previous value of T[x]. 27 Otherwise, if b O,, = 1 then oracle access to 0P is equivalent to the PRF evaluation function and the challenger responds to a query x with F(K,x). 3. Guess. The adversary must return a guess b' of the hidden bit b. For any function family fF, dorandom Function (PR) let AdvA(k) if Adv Pr[b =b' - . We say that SF is a Pseu- A (k) is negligible in k for all polynomial time adversaries A. 6.2 <b-RKA PRFs The definition of a PRF requires that the function indexed by a randomly selected key is indistinguishable from a random function for any polynomial time adversary. In the RKA model the adversary is given access to an oracle that evaluates the PRF using tampered keys, and so will now have access to the functions indexed by multiple keys. As will be formalized shortly, PRF security in the RKA model requires that for any polynomial time adversary, the family of functions is indistinguishable from a family of truly random functions, when accessed at indices generated by a random key and tampered values of that key. The only changes to the security game of the <b-RKA PRF from that of a normal PRF are in the query phase, where the adversary receives oracle access to the PRF evaluated using the secret key- this is modified to give the adversary access to the PRF evaluated using tampered secret keys. Definition 6.2 (<b-RKA PRF) The following security game is defined for a function family J7 = (AZ, F) with algorithms for key generation and evaluation, respectively. For a security pa- rameter k, we assume that an instance of F with key K - C(lk) has an efficiently computable domain and range given by Dom(.) and Rng(.), and a compatible class of RKD functions (b. 1. Setup Phase. The challenger generates a key for the PRF as K 4 I(Ik), and selects a random bit b 4- {o, 1}. 2. Query Phase. The adversary is allowed to adaptively query for points x tampering function $ E <b to as 00 *($,x). 28 E Dom(k) with a Upon receiving an oracle query (x, $), the challengerfirst computes the tampered key K' <- $(K). If b = 0 and the adversary has never received a value for x and K', the challenger randomly selects a point y +- Rng(k) to return to the adversary, and saves it as T[K', x] = y; if x with key K' has been queried previously, i.e. T [K', x] is defined, the challenger returns the previous value in T [K', x]. Otherwise, if b = 1 then the challenger responds to a query x with F(K',x). 3. Guess. The adversary must return a guess b' of the hidden bit. For any function family 1F, let Adv (k) Pr[b b'] - 1. We say that FF is a Pseu- dorandom Function (PRF) if AdvA (k) is negligible in k for all polynomial time adversaries A. We note that in general, PRFs are not 4-RKA PRFs. Although individual randomly selected functions from the PRF are indistinguishable from random, the structure of functions with related indices might be far from random. For example, a PRF might simply ignore several bits of its key, and so functions with indices differing only in the ignored bits will actually be identical. An alternative and equivalent definition follows which is based on two separate games, one in which an adversary always receives access to the real function family, and a second one in which it always receives access to a truly random function family. This definition will be used to simplify several proofs. Definition 6.3 (Alternative Definition for a <b-RKA PRF) The following two security games, PRFReal and PRFRand, are both defined for a function family FF = (IC,F) with algorithms for key generation and evaluation, respectively. For a security parameterk, we assume that an instance of 17 with key K +$ IC(lk) has an efficiently computable domain and range given by Dom(.) and Rng(.), and a compatible class of RKD functions (b. They share a setup phase and a guess phase, but differ in the query phase. 1. Setup Phase. The challenger generates a key for the PRF as K A A(lk). 2a. Query Phase for PRFReal. The adversary is allowed to adaptively make queries of the form (x, #) with x G Dom(k) and # E <b. The challenger first computes K' <29 #(K) and returns .F(K',x) to the adversary. 2b. Query Phase for PRFRand. The adversary is allowed to adaptively make queries of the form (x,#5) with x G Dom(k) and p G 4. The challenger first computes K' is undefined, the challenger sets T[K', x] +$ Rng(k). <- p(K). If T[K',x] The challenger sends T[K', x] to the adversary. 3. Guess. The adversary must return a guess b' of whether it is playing game PRFRand or game PRFReal. Pr[PRFRand^ -> 1] - Pr[PRFRealA -> 1]. Standard arguments imply that AdvA ,(k) 7 Identity-Key Fingerprints and Identity Collision Resistance In our constructions, we will want to reduce the D-RKA security of a primitive to the normal, non-tampering security of the same primitive. Such a reduction is achieved by construction of an adversary A that can break a normal secure primitive by using any D-RKA adversary B that can break the D-RKA security of the primitive. Our constructions have A answer oracle queries of the D-RKA adversary B in the following way: 1. When B's submitted 4 leaves the secret key unchanged, A should answer B's queries using its own oracle access to a non-tampering oracle. Since the definition of a break in the 1-RKA security of any primitive is a valid break for the original untampered secret key, this will guarantee that a successful break for B will also be a successful break for A. 2. B's queries to different modified keys should give it no additional information about the original secret key; A should be able simulate answers to oracle queries to modified keys. To achieve the second point, we design our D-RKA primitives so that A can simulate answers to B's oracle queries by randomly generating instances of a normal (non-tampering) version of the primitive. The first point adds a greater technical challenge: when answering B's query with related-key deriving function #, how will A know when the secret key is unchanged and to answer with its own 30 oracle access? The A only has access to oracle queries to the primitive, but not the secret key of the primitive. As an example of this difficulty, imagine A is an adversary against a PRF. A is given oracle access to either the PRF or a family of truly random functions evaluated with the hidden sk. Though A query this oracle at many points in the domain of the PRF, this might be little help in telling whether #(sk) = sk. (Consider a PRF that ignores the last bit of the secret key, and a <b that allows the adversary to set the last bit of the secret key to either 0 or 1.) 7.1 Identity-Key Fingerprint To solve this and other technical issues associated with dropping the claw-free assumption, we will use a new tool, called an Identity-key Fingerprint (IDFP), to determine when the secret key of a PRF has changed. To accomplish this, an IDFP for a function family generates a vector of points in the domain, called the fingerprint; except with negligible probability, a function evaluated with a random secret key key and the function evaluated with a tampered key will differ at at least one of the points in the fingerprint. Like our definition of RKA security, an IDFP will be parameterized by <b, the class of allowed tampering functions. Definition 7.1 (Identity-key Fingerprint - IDFP) Let F = (K, .F) be any function family, with key-generation and evaluation algorithms respectively, an associated security parameter k, and with an efficiently computable domain given by Dom(.). A fingerprint is a vector of points in the domain of F with length v(k) that is polynomial in k. An identity key fingerprint (IDFP)is an algorithm IKfp that produces a fingerprint for F as w - |IKfp(1k). The following game gives the security requirementsfor for F, and is parameterized by a compatible class of RKD functions <b for F. 1. Setup Phase. The challenger generates a key for F as K $ J(lk). The challenger also generates the fingerprintfor FF as w + |IKfp(1k), and sends the fingerprint to the adversary. Finally, the variable WIN is set to have value false. 2. Query Phase. The adversary is allowed to make adaptive queries to an IDFP oracle for $ as 0 idf,4 E (D ($). The challenger answers this oracle query by first computing the tampered key 31 K' +- <(K). IfK K', and .F(K,w[i]) =.F(K',w[i])for all i c [lwl], WIN +- true. In any event, the challenger sends the adversary FK',w[i]) for all i E w ]I. For any adversary A that is polynomial time in k, we define Adv ifA We say 7F (k) = Pr[WIN = true]. is 1-IDFP secure if this advantage function is negligible in k for all such polynomial time adversariesA. The notion of IDFP can be seen as a relaxation of the key fingerprint defined by Bellare and Cash[BC10]. The key fingerprint of [BC10] for a PRF allows statistical disambiguation of any pair of keys: except with negligible probability, any two keys will differ at some point in the key fingerprint. They showed that the Naor-Reingold PRF (NR-PRF) had such a key fingerprint, but in general, it does not seem common. Interestingly, their own NR-PRFs, are not known to have a key fingerprint. 4-RKA PRFs, which build on The IDFP has the weaker requirement of computational disambiguation of the original key from other keys: given a randomly generated original key, it must be computationally hard to find a second key that agrees at all points in the IDFP. The IDFP notion is easier to satisfy than that of the key fingerprint, and will still be sufficient for our constructions. We are not able to give a general proof that a D-RKA secure PRF also has is 4-IDFP secure, and so will have to make this an assumption in some of our constructions. We are, however, able to show that for claw-free 4, any D-RKA secure PRF with large enough range is <b-IDFP secure, using any point in the domain functioning as the fingerprint. This adds to the evidence that assuming D-IDFP security for D-RKA secure PRF is reasonable. Proposition 7.2 (<b-RKA secure PRFs have 1-IDFP for claw-free <b) Let <b be a claw-free class of RKD functions, and let SF be a (b-RKA secure PRF with efficiently computable domain domain Dom(.) and super-polynomial size range Rng(.). Then 71 is 4-IDFPsecure, using IDFP algorithm |Kfp(1k) that returns the 1-vector comprised of any fixed element in Dom(-). Proof: Define the IDFP algorithm IKfp(lk) to return the lexicographically first element in Dom(1k). 32 Using any adversary A against the D-IDFP security of PRF J7 against the i-RKA security of Adv 77, we construct an adversary B with ,((k) < Adv FFB(k) + Rng(k)l' where q(k) is the number of oracle queries made by A to Oidfp. B receives oracle access to 0 ,, which answers its queries OU%* PRF or a truly random function. Recall that assumes that #ID E #ID is (#, x) with using either a the identity function and the RKA-model 4. B generates the fingerprint as w <-- IKfp(1k), and then computes y[1] <- OW*(#ID, w[1]), which is the value returned by the oracle, evaluated using the original secret and the single value in the fingerprint. Finally, B initializes a set T to empty. For the reduction, B provides the IDFP adversary A with input of fingerprint w. When A makes a query to the IDFP oracle as Oidfp,4 (#), B queries its <-RKA PRF oracle with z = 0 and returns the value z to A. Additionally, if z = y then B sets a variable <- true. When A halts, B returns 1 if WIN = WIN (#, w[1]), true , and 0 otherwise. For the analysis, we consider the cases that B has oracle access to the real PRF in PRFReal or a truly random function in PRFRand separately. First lets consider the game PRFReal, where B's oracle queries to 0 4 (#, w[1]) are answered by the real PRF, z = Y(#(K), w[1]). In this case, A is getting the correct distribution for the PRF and so is playing the exact game defining D-IDFP security; B will set found # WIN = true when A has such that F(#, w[l]) = F(#ID, w[1]) and has broken the security of the IDFP. Thus B will return 1 with probability given by Adv (k). In game PRFRand, B's oracle queries to 0pI(#(, w[1]) are instead answered with a truly random function. Let q(k) be the number of queries A makes to Oidf,*. When A queries a the tampered key must be different from the original key, since assumption and the fact that from y = #ID(K) #j(K) #i 4#ID, = K by the claw-free = K. Thus in this case z = 0-'(#$, w[1]) is independent O1(41D,w[1]), and so for each query B sets 33 WIN to true with probability at most 1). Rng(1k)|q* B never sets WIN to true when A queries with <ID, since this only happens when the key is modified. Thus in this case, by a union bound B returns 1 with probability at most q y. Then Pr[PRFRealB Pr[PRFRandB r 1] = 1] < Adv p (k) q(k) rRng(k)| where q(-) is the number of oracle queries made by A. Using definition 6.3 for Advp (k) gives the desired result. Using Proposition 7.2, the <b-RKA PRF construction of [BC10] can be used to generate an IDFP, since the <b they use is claw-free. Interestingly, though they use key fingerprints to create their <-RKA secure PRF, no key fingerprint is known for their construction. Unfortunately, this construction of IDFP only works for claw-free <D, while we will need IDFP for classes <b without the claw-free assumption. For some of our constructions of higher level <b-RKA secure primitives, we will assume the <D-IDFP security of given <D-RKA PRFs, even when <} is not claw-free. In practice, a vector over a distinct points in the domain should be a suitable fingerprint and assuming the existence of IDFPs seems to be a reasonable even when <D is not claw-free. 7.2 <b-RKA Secure Pseudorandom Generators To drop the claw-free assumption on <D in our constructions, we introduce and use a new security notion called Identity Collision Resistance (ICR); this notion is parameterized by <}, and a primitive possessing this property is said to be <D-ICR secure. In particular, we will build psuedorandom generators (PRGs) that are both <h-RKA and <b-ICR secure, using any <b-RKA and 4-IDFP secure PRF. A pseudorandom generator (PRG)[BM84] is a tuple of algorithms PRQ = (1C, !) for key generation and evaluation of the PRG respectively; 'PRg also has an associated function r(.) that gives the output length of the PRG, which must be longer 34 than the length of the secret key. The secret key of a PRG is called a seed; when the evaluation algorithm is run on a randomly generated seed, it outputs a value that is indistinguishable from random, even though r(-) ensures that the output is longer than the secret key and so is lacking full entropy. Definition 7.3 (Psuedorandom Generator - PRG) A psuedorandom generator (PRG) is a tuple of algorithms 'PT = (AC, 9). For a security parameter k, the key generation algorithm JC(lk) generates a secret key sk called a seed, and g(sk) returns a string of length r(k), where r(k) > Isk|, ensuring that 'PRq is length expanding. Further, the output of 9(sk) should be indistinguishable from a random string for any polynomial time adversary, as is formalized in the following security game for an adversary A: 1. Setup Phase. The challenger generates a seed as K - K(lk) and generates a random bit b - {0, 1}. 2. Query Phase. The adversary A is given oracle access to 0 G, which takes no input param- eters. If b = 0, and A has already queried ORG, the previously returned value is returned again; if this is A's first query, the oracle returns a value from the uniform distribution of length r(k), i.e. a uniformly selected element of {0, }r(k). Otherwise when b = 1, the oracle returns 9(K) to A. 3. Guess. A must return a guess b' of the hidden bit b. We define AdvpQAg(k) = Pr[b = b'] - -, and say that 'P!1 (PRG) if Adv is a pseudorandom generator (k) is negligible in k for all polynomial time adversaries A. <D-RKA Secure PRGs.. Extending the definition of a PRG to the RKA model, the adversary can query the PRG evaluation function along with a related-key deriving function #. In the modified security game, the adversary can obtain output of the PRG (or random function) with not only the original seed, but also seeds modified with #. To the adversary, each distinct seed of the PRG should yield what appears to be an independent random value. 35 We note that unlike the standard definition for a PRG, we will not require a <b-RKA PRG to be length expanding: the benefit of the <b-RKA PRG is that its output appears random even for related keys, and not length extension. However, one can easily create a length-extending <b-RKA PRG by applying a standard PRG to the output of a <b-RKA PRG[Luc04]. Definition 7.4 (<D-RKA PRG) The following security game for an adversary A is defined for a 'PRG and a RKD specification <Dthat is compatible with 'PRG = (K, 9), and a security parameter k. 1. Setup Phase. The challenger generates a seed for the PRG as K random bit b +- <- IC(lk), and selects a {o, 1}. 2. Query Phase. A is allowed to adaptively query tamperingfunctions $ in the family of allowed tampering functions (b. Upon receiving a query $, the challenger first computes the tampered seed K' <- O(K). If b = 0 and the adversary has never received a value for K' , the challenger randomly selects a point in the range of G to return to the adversary; if seed K' has been 1 then the queried previously, the challenger returns the previous value. Otherwise, if b challenger responds to a query x with G(K'). 3. Guess. The adversary must return a guess b' of the hidden bit. For a primitive 'PTR as defined above, we define Advg,(k) that 'PQ is a <b-RKA secure PRG if Ady ,4,(k) = Pr[b = b'] - {, and say is negligible in k for all polynomial time adversaries A. As with <b-RKA secure PRFs, it will help our proofs to have an alternative definition of <b-RKA secure PRGs that separately considers the cases where the adversary has oracle access to the PRG and when they have oracle access to a random function instead. Definition 7.5 (Alternative Definition for a <D-RKA PRG) The following two security games, PRGReal and PRGRand, are both defined for 'PTq = (KC,9) and a RKD specification <D that is compatible with .PTRG, a security parameter k, and an adversary A. 36 We assume that an instance with key K of 'P9RL $ K(1k) has an efficiently computable domain and range given by Dom(.) and Rng(-). These two games share a setup phase and a guess phase, but differ in the query phase. 1. Setup Phase. The challenger generates a seed for the PRG as K 4 K(1k). 2a. Query Phase for PRGReal. A is allowed to adaptively query tampering functions 0 G , to which the challenger replies with F(K') to the adversary. (). 2b. Query Phase for PRGRand. A is allowed to adaptively query tamperingfunctions O0' The challengerfirst computes K' <-#O(K). If T[K'] is undefined, the adversary sets T[K'] 4 Rng(k). The challenger sends T[K'] to the adversary. 3. Guess. The adversary must return'a guess b' of whether it is playing game PRGRand or game PRGReal. Standard arguments imply that Advg, ,(k) 7.3 = Pr[PRFRandA -> 1] - Pr[PRFRealA -> 1]. Identity Collision Resistance For our constructions, we will define and use a new weak form of collision resistance for PRGs. # E 4(K) # Roughly, for a D-ICR secure PRG, it should be difficult for an adversary to find a -D that modifies the hidden seed but that fails to change the output of the PRG, with K yet 9(#(K)) = g(K). This definition is formalized below. Definition 7.6 (4-ICR secure PRG) The following security game for an adversaryC is defined for a 'PR& = (P, 1C) with a compatible RKD specification D, and a security parameter k. 1. Setup Phase. The challenger generates a seed for the PRG as K - K(lk), computes T <- 9(K), and initializes the variable WIN to false. 2. Query Phase. The adversaryC adaptively queries 0 ic',0 as 0 these queries by first computing the tampered seed K' <on the tampered seed as S <- 9(K'). If K' 37 f (). 'crD #(K), The challenger answers and then evaluates the 'PRQ K and S = T, the adversary has found a collision, and WIN <- true. To answer the query, the challenger returns S to the adversary C. Let Adv g,c,<1>(k) equal Pr[WIN = true] when the game has input 1 k. We say 'PKQ is (b-ICR secure if this advantage function is negligible. Does <b-RKA security imply b-ICR security?. ICR security is only violated when two distinct seeds map to the same value in the range of a PRG. We note that an adversary given oracle access to a truly random function will only very rarely be able to find two distinct seeds that map to the same value; since a <b-RKA secure PRG is indistinguishable from a random function (when evaluated at points given by tampered seeds), it would at first appear that <b-RKA security implies <-ICR security for a PRG, and that adversary that breaks the <b-ICR security of the PRG could be used to build a distinguisher of the <b-RKA PRG and a truly random function. Unfortunately - and unintuitively! - this is not the case. Let's begin to see where this intuition breaks down. To build a distinguisher of the <b-RKA PRG and a truly random function, we would try to get the <b-ICR adversary to find a collision of distinct points; if the <b-ICR adversary finds a collision with its oracle access, the distinguisher guess it has access to the PRG. This intuition breaks down because the distinguisher only sees the output of the oracle, and so does not actually see the secret key- the distinguisher does not know whether a repeated output was generated by the same secret key. Further, it assumes that < modifies the secret key in the same way in both the real and random games. As we will see shortly, it is possible that a repeated output is caused by two different seeds in the real game, and by the same seed in the random game. This will allow the adversary to break the <b-ICR security, while still giving indistinguishable views of the real and random games for the <D-RKA PRG distinguisher! We formalize these ideas to prove that <b-RKA security does not imply <D-ICR security. Proposition 7.7 [ (b-RKA Security does not imply <b-ICR Security] Suppose there exists a normal-secure PRG 'PRQ = (IC,g) with security parameter k, output length given by r(k) = w(k), and with range super-polynomial in k. 38 Then there exists a PRG G = (K, 9) with the same r(.), and a compatible class of RKD f(k) be the length of the seed returned by flA(1k), (b-RKA C(1k). IC for PR~g to pick a random bit c +- {0, 1}, and We construct the new key-generation algorithm returns c such that 'PtG is secure. secure but 'P\_G is not (b-ICR Proof: Let (b, as /C(1k) $ {c +- {0, 1}, 1 (1k) : |1(1k)}. The new evaluation algorithm C parses K into c K, where c is a bit, and |KI =(k), and then returns g(K); 9(K) more formally, 9(K) = g(K[2, lKl]). Note that this new evaluation algorithm 9 ignores the first bit of the seed, and so 9 will agree on any two seeds differing only in the first bit - thus any # that modifies the first bit will lead to a win for an adversary in the 4-ICR security game. We define <D such that our constructed 'PRg is <D-RKA secure but not <D-ICR secure. Briefly, our <D will be created so that # E Ch will only modify input in the real game PRGReal and not in the random game PRGRand; with this, output collisions will occur in both cases, but any output collisions in the random case are trivial since the seed will not be modified here. Let KK with its first bit flipped. For a R denote E {0, 1}r(k) and K c (0, 1)e(k)+l, we define #R(K) to be K if 9(K) $ R, and have its first bit flipped as K- otherwise: #R(K) - We let <} = ID U UR E{O,1}y(k){#OR} K if 9(K) $ R - otherwise be the collection of #R for all R E (0, 1}r(k), along with #1D the identity function. Our constructed 'PRg fails to be <h-ICR secure: an adversary A that makes a query X = 9(K) in response, and can then make query #x(K) #x. By definition of our #, #1D receives since 9(K) = X, will flip the first bit of the seed and give a non-trivial collision, setting WIN <- true, and giving the adversary an advantage of 1. Next, we must show that 'PRg is <b-RKA secure under the assumption that 'PZG was normal (i.e. ID-RKA) secure. To do this, we will construct an adversary B against the normal security of 39 'P1G from any adversary A against the <b-RKA security of 'PRG. B against the normal security of 'PRG receives either oracle access to 'P!g in game PRGReal, or oracle access to a random function in game PRGRand. We let B compute X +- OoPRG( ). But we note that in A's game PRGReal, all of A's queries should be answered by a single value generated by 'PRg evaluated on a random seed; similarly, in A's game PRGRand, all of A's queries should be answered by a single random value in the range of TPRg. Thus, B can answer X to all of A's queries O"G4-'*(<); this correctly simulate A's game PRGReal when B is in game PRGReal, and correctly simulate A's game PRGRand when B is in game PRGRand. When A returns its guess of hidden bit b', B also outputs b'. Thus, Adv" PRQ,B,ID (k) = Pr[PRFRandB 4 1] - Pr[PRFRealB Pr[PRFRealA - 1] = Advg(k), -> 1] = Pr[PRFRandA = 1 - as desired. Building <D-ICR PRGs. As shown above, not all <D-RKA secure PRGs are <D-ICR secure, but we will need PRGs with both properties for our constructions. To do this, we will build a PRG that is both <D-ICR and <b-RKA secure from any <D-RKA PRF that is <D-IDFP secure, i.e., a <D-RKA secure PRF with a key fingerprint for the identity function. Proposition 7.8 Let 77 = (K, F) be a <D-RKA PRF with output length f(k) for security parameter k. Let IKfp be a <D -IDFP secure identity key fingerprint function for 7F with vector length v(k). = (RG), Define PRG 'Pg IC on input 1 k, with associated output length given by r(.), as follows: compute fingerprint w <-- IKfp(1k ) and and the secret key for a PRF K K(lk), and return K = (w, K) " g(w, K) = .F(K, w[1]) || .- - F(K,w[lwl]) e The length of the output of the PRG is given as r(k) = Then 'PG is both (D-RKA secure and <D-ICR secure. 40 l(k) - v(k) Proof: Let A 1 be any adversary against the <I-ICR security of PRQ, and let A 2 be any adversary against the <b-RKA security of 'PTg. We will use to build an adversary B 1 against the <b-IDFP security of F, and an adversary B 2 against the 4-RKA security of FF. First, we will construct B 1 , an adversary against the <}-IDFP security of F, which receives fingerprint w for F, using Ai, the adversary against the <D-ICR security of 'PGQ. A 1 makes oracle queries of the form 0- 9 ,*(#). To answer this, B1 first queries its own oracle Oidf,'D( 95 , w[i]) for all i E [lwl]; B 1 receives F(#(K),w[i]) for each i, and simply concatenates all these to form and return the proper response to A 1 's queries. A 1 is said to break the <D-ICR security if it queries a such that #*(K) $ #* K yet the concatenation of all F(#* (K), w[i]) is the same as the concatenation of all F(K, w[i]). In this case, B 1 wins too when it queries its oracle with #* - here, the key will be modified yet no part of the fingerprint will. Thus Advit k) (k) > Adyvgic Next we construct B 2 , the adversary against the <D-RKA security of F, from any A 2 against the <D-RKA security of PRGQ. When A 2 submits queries (#), B 2 answers by first querying its '"RG,D own oracle OidfP,(#, w[i]) for all i c [|wf], and concatenating each of these; note that when B 2 is playing PRFReal, this will simulate PRGReal for A 2 , and when B 2 is playing PRFRand this will simulate PRGRand for A 2 . Thus when A 2 guesses b', B 2 copies this guess, and so B 2 will correctly guess b exactly when A 2 does. Thus Advp ,B2 ,(k) > Adv gA 2 ,(k) This construction also shows how to build a <D-RKA PRG from any <D-RKA PRF, though if you don't need the <b-ICR property it is simpler just to apply the PRF to a constant input. Corollary 7.9 Since any (k-RKA PRF can be used to build a (k-RKA PRG as above, RKA[PRF] C RKA[PRG]. 41 8 Definitions of <D-RKA Secure Primitives Though Definition 5.4 gives a general transformation from the standard security definition of a primitive to the 4-RKA security definition, there are a number of subtleties in the transformation. Here, we will explicitly give definitions for a number of additional -- RKA secure primitives: signature schemes, CCA public key encryption, weak PRF, and symmetric key encryption. The original security definitions for these primitives can be obtained by setting 4 = ID. Signatures. Most of the primitives we will consider have security definitions that are based on indistinguishability; signature schemes are the one primitive that we consider that defines a break based on a produced value of the adversary that depends on the secret and public keys of the scheme. Since there are subtleties in the definition of a 4-RKA secure signature scheme, we will first give the standard definition of a signature scheme. Definition 8.1 (Signature Scheme - [DH76]) A signaturescheme 'DS = (K, S, V) is a tuple of algorithms, for key generation, signing, and verification algorithms respectively, with an associated security parameterk, and efficiently computable message space M(k). The key-generation algorithm generates a verification key vk and a signing key sk as (vk, sk) +C(1lk). The signing algorithm S is used to sign messages m E M(k) as S(sk, m). The verification algorithm V takes parameters of a verification key, a message, and a signature as V(vk, m, -), and returns either true or false depending on whether the signature is valid or invalid respectively. For the correctness of a scheme, if keys are generated properly as (vk, sk) 4 IC(lk), the signature a- 4 S(sk,m), should always verify, giving V(vk,m,o-) = true. We define the security of the scheme via the following game for an adversary A. 1. Setup Phase. The challenger generates verification and signing keys as (vk, sk) The challenger also initializes the set of disallowed messages for forgery as M <- 40. K(lk). Finally, the challenger gives the verification key vk to A. 2. Query Phase. A adaptively asks for signatures of messages m G M to a signing oracle as 42 OS(m). When the challenger receives m, it adds m to the set of disallowed messages for forgery as M <- M U {m}, and finally returns a $ S(sk, m) to A. 3. Forge. The adversary halts and outputs a message and signature pair (m*,-o), with m* - M. We define Adv scheme if Adv ,~ ~(k) (k) = Pr[m* M A V(vk,m,o-) = 1]; we say DS is a secure signature is negligible in k for all adversariesA that run in time polynomial in k. To adapt this definition to the RKA model, the security game is modified so that the adversary receives access to a signing oracle that works on tampered keys. Now, A should be able to make adaptive queries 0s,' (#, m) and receive S(#(sk), m) in return. Moving the definition of a forgery from the standard model to the RKA model causes more delicate issues to arise. In the standard definition, the adversary's forgery must be on a previously unsigned message. Definition 5.4 helps us convert this to the RKA model, where the winning condition should not depend on modified secret keys. Here, a D-RKA adversary that outputs (m*, *) should be said to have a valid forgery if it never received a signature on the message m* generated with the original secret key. This appears to be a minimal requirement for the disallowed set of messages. Prior work [GOR11] defining 4-RKA secure signature schemes instead called a forgery valid if the adversary never made a signature query with the identity function as OS'4)(#1D, m*); our definition disallows only a subset of the messages that [GORl1] disallows, and makes sense even when 4J fails to be claw-free. Definition 8.2 (4-RKA Signature Scheme) A 4I-RKA secure signaturescheme DS = (IC,S, V) is a tuple of algorithms, for key generation, signing, and verification algorithms respectively, with an associated security parameterk, and efficiently computable message space M(k). The algorithms of a 4J-RKA secure signature scheme satisfy the same structure and correctness properties as a standard signature scheme, given in Definition 8.1. The security game is parameterized by (b that is compatible with DS is defined for an adversary A. 1. Setup Phase. The challenger generates and verification and signing keys as (vk, sk) $ IC(1k). 43 The challenger also initializes the set of disallowed messages for forgery as M <- 0. Finally, the challenger gives the parameters and verification key (vk) to adversary A. 2. Query Phase. A is allowed to adaptively make oracle queries for signatures as OS,'(m,)) with m sk' <- E M, p E <b. To answer, the challenger first generates the modified signing key as p(sk). If sk' = sk, the challenger adds the message to the set of disallowed messages for the forgery as M +- M U {m}. Finally, the challenger answers the query by returning a- $ S(sk', m) to A. 3. Forge. The adversary halts and outputs a message and signature pair (m*, o*). = Pr[m* V M A V(7r, vk, m, o-) = 1], and say DS is a <D-RKA secure We define Advir(k) signature scheme if Adv A (k) is negligible in k for all adversaries A that run in time polynomial in k. Public Key Encryption. Public key encryption (PKE), as defined in [Sha85], with semantic security, as defined in [GM82], gives a public key that is sufficient to run encryption scheme without compromising a private secret key used only for decryption. Since in this case the secret key is used only for decryption, RKAs make sense to consider when the adversary is given access to a decryption oracle, as is the case for a chosen-ciphertext security definition. In the normal PKE security game, the decryption oracle disallows queries for the challenge ciphertext; to adapt to the RKA model, the decryption oracle will refuse to decrypt when the ciphertext it is given matches the challenge one and the tampered key equals the real one. Again, we give only a definition for a <}-RKA PKE scheme and not for one with standard security, but one can obtain the standard definition by setting <D = ID. Definition 8.3 (<b-RKA Public Key Encryption Scheme) A public key encryption (PKE) scheme is comprised of a tuple of algorithms for key generation, encryption and decryption algorithms, as 'E = (IC,S, D). The scheme is associated with a security parameter k, and is assumed to have an efficiently computable message space M(k). 44 The scheme has an associated security parameter k, and is assumed to have an efficiently computable message space M(k). The key generation algorithm IC takes 1k as input and returns the public key ek and secret key dk, as (dk, ek) <- JC(1k). The encryption function takes a public key and a message to create a ciphertext as (ek, m) for m £ M(k). Finally, the decryption algorithm takes a secret key and a ciphertext c to produce a message as D(dk, c). For correctness, the scheme requires that for a properly generated key pair, a ciphertext that is generated as the encryption of a message can be decrypted using the associated secret key back to the original message. The following security game is defined for a compatible class of RKD functions <k and an adversary A. 1. Setup Phase. The challenger generates public and secret keys as (ek, dk) <- J(1k). The challenger also generates a random bit b +- {0, 1}, and initializes the challenge ciphertext as C* - I. The challenger returns (7r, ek) to the adversary. 2. Query Phase I. A is given oracle access to 0 )',*. When the challengerreceives query O,+"(p, C), it first generates the tampered secret key as dk' <- p(dk). The challenger returns the decryp- tion M <- D(dk',C) to A. 3. Challenge. The adversary outputs a pair of messages (mo,ml) with |mo\ = |m1; the challenger then returns the challenge ciphertext C* +$ 4. (7r, ek, mb) in response. Query Phase II. A is again given oracle access as 09,). When the challenger receives query O">*(p, C), it first generates the tampered secret key as dk' <- p(dk). If ((dk' = dk) A (C C*)), the challenger returns I; otherwise the challenger returns M <- D(dk', C). 5. Guess. Finally, the adversary halts and outputs b', its guess of b. The advantage of the adversary is defined as Adv is (D-RKA secure if this advantagefunction Adv that run in time polynomial in k. 45 c k (k) = Pr[b = b'] - 1. We say 'PRJE ~jc?(k) is negligible in k for all adversaries A Weak Psuedorandom Functions. Weak psuedorandom functions (wPRFs) are a relaxation of PRFs such that they only need to be indistinguishable from a truly random function when queried at random points in the domain, instead of at adversarially chosen points. We include wPRFs since they have an interesting separation with PRFs. Definition 8.4 (<b-RKA Weak Psuedorandom Function (wPRF).) Let ut'5F = (IC,.F) be a family of functions with an associated security parameter k, with efficiently computable domain Domjj(k) and range Rngfiyj(k). The following security game is parameterized by a class of allowed RKD functions <k that is compatible with uTP'F, and is defined for an adversary A. 1. Setup Phase. The challenger generates a key for the wPRF as K random bit b IC(1k), and selects a $ {0, 1}. 2. Query Phase. A is given oracle access as 0"'W'"($). Upon receiving an oracle query the challengerfirst computes the tampered key K' <- O(K), and selects a value x uniformly from the domain of w'iPF as x +- Dom xy(k). If b = 0 and the adversary has never received a value for x and K', the challenger randomly selects a point y - Rng(k) and defines T[K', x] = y. The challenger answers the oracle query by returning (x, T[K', x]). Otherwise, if b = 1 then the challenger responds to a query x with (x, F(K',x)). 3. Guess. The adversary must return a guess b' of the hidden bit. We define Adv" rk(k) = Pr[b = b'] - we say usPF is (k-RKA secure if this advantage function is negligible in k for all A that run in time polynomial in k. Symmetric Encryption. Symmetric encryption enables a sender and a receiver that share a secret key to send encrypted messages to each other. This case is interesting because we can now consider RKAs on the encryption algorithm as well as on the decryption algorithm. 46 We consider two different notions of security for symmetric encryption:chosen-plaintext attack (CPA) and chosen-ciphertext attack (CCA). In CPA security, the adversary is allowed to repeatedly query the encryption oracle with pairs of messages, and receives the encryption of one in return in a semantic security challenge. In CCA security, the adversary is additionally given access to a decryption oracle, but the decryption oracle will disallow decryption of any challenge ciphertext. Definition 8.5 (<b-RKA CPA and CCA secure SE Schemes) A symmetric encryption scheme SE = (C, S, D) is specified by key generation, encryption and decryption algorithms. The scheme is associated with a security parameterk, and is assumed to have an efficiently computable message space M(k). The key generation algorithm C takes 1k as input and returns a secret key K, as (K) <- C(1k). The encryption m E M(k). function takes a secret key and a message to create a ciphertext as (K, m) for Finally, the decryption algorithm takes a secret key and a ciphertext c to produce a message as D(K, c). For correctness, the scheme requires that for a properly generated secret key, a ciphertext that is generated as the encryption of a message can be decrypted using the same secret key back to the original message. The following security game is defined for a compatible class of RKD functions <b and an adversary A. 1. Setup phase. K - KC(lk). The challenger generates a secret key with the key generation algorithm, as The challenger also generates a random bit b +- {0, 1}, and initializes the set of messages disallowed for decryption as S < 0. 2. Query Phase - CPA. The adversary A is given adaptive access to O *,(#,mom1), where |mo| =Imi1. To answer, the challenger first computes the tampered key as K' <- $(K), and then computes ciphertext C 4$ (K',mb). C is added to the list of disallowed ciphertexts as S <- S U {(K', C*)}, and then the challenger returns C to A. 3. Query Phase - CCA. In the case of CCA security, in addition to the oracle access granted in the CPA Query Phase, A is also given access to the decryption oracle as 0D9,(4, C. To answer 47 this the challengerfirst computes the tampered key as K' <- #(K). If ((K', C) G S) then the challenger returns I to A; otherwise the challenger decrypts and returns M <- D(K', C) to A. 4. Guess. The adversary must return a guess b' of the hidden bit. We define Adv ~ ~ (k) = Pr[b = b'] - 1 when A plays the above game with the CPA Query Phase. We say SE is tI-RKA-CPA secure if this advantage function is negligible in k for all A that run in time polynomial in k. We define Adv ~ (k) = Pr[b = b'] - 1 when A plays the above game with the CCA Query Phase. We say SE is D-RKA-CCA secure if this advantage function is negligible in k for all A that run in time polynomial in k. Identity Based Encryption. Identity Based Encryption (IBE) was first defined in [Sha85]. In an IBE scheme, the public key of each user is some commonly known user identification (ID), such as an email address, avoiding the common issues associated with public key exchange. An IBE scheme is enabled by a trusted party with master keys that generates the secret keys for any ID. We will give the definition for a @-RKA secure IBE scheme without first giving the standard definition of an IBE scheme, but the oriental definition can be obtained by letting i = ID. As with the definition for signatures, some subtleties arise in actions disallowed to the 4-RKA adversary. In the standard security game, the adversary can adaptively request secret keys for user IDs of its choice to a key derivation oracle, then request a semantic security challenge encrypted with the ID of its choice, and then further request secret keys for IDs; however, its important for the adversary to be disallowed to have the secret key for the ID used to generate the semantic security challenge! In the 4-RKA security definition, the key-derivation oracle refuses to act only when the ID it is given matches the challenge one and the tampering does not modify the secret key. Definition 8.6 (D-RKA IBE Scheme) An identity-based encryption (IBE) scheme is comprised of a tuple of algorithms IBE = (M, C, ,D), which are for master key generation, key generation, 48 encryption, and decryption respectively. The scheme has an associated security parameter k, and is assumed to have an efficiently computable message space M(k). The master key generation algorithm M takes 1k as input and returns the master public key mpk and master secret key msk, as (msk, mpk) <- M(1k). Standard key generation IC takes parameters, a user ID id, and the master secret key to produce a secret key for the ID as dk <- IC(mpk, msk, id). The encryption function takes the master public key, a user ID, and a message to create a ciphertext as S(mpk, id, m) for m E M (k). Finally, the decryption algorithm takes the master public key, a secret key, and a ciphertext c to produce a message as D(mpk, dk, c). For correctness, the scheme requires that for a properly generated master key, when a message is encrypted to a user ID, the properly created secret key for that user ID can be used to decrypt to the original message. Security is defined for the following game with an adversary A, and is parameterized by a (b that is compatible with IB'E. 1. Setup Phase. The challenger generates the master key pair as (mpk, msk) 4 M(1k). The challenger forwards (,r, mpk) to the adversary. The challenger also randomly selects a bit b as b $ {, 1}, and initializes the set of disallowed IDs as S ID as id* <- +- 0, and initializes the challenge . 2. Query Phase I. A receives oracle access to OK, submitting queries of the form 0C*4($, id). To answer, the challengerfirst generates the tampered key as msk' +- $(msk). If msk' = msk, S <- S U id. The challenger returns secret key dk - JC(mpk, msk', id) to A. 3. Challenge Phase. The adversary sends a user ID and two messages to the challenger, as (id,mo,mi), where |mo| = m 1 |. If id G S, the challenger returns I, since the adversary has already asked for the secret key for this user ID under the original secret key. Otherwise, the challenger sets id* = id, and sends A the challenge C <$ 4. (mpk, id, mb). Query Phase II. A again is given access to O'C *($, id), but now queries to id* with the unhampered master secret key are disallowed. To answer, the challenger first generates the 49 tampered key as msk' <- #(msk). If ((msk' = msk) A (id = id*)), then the challenger returns _L; otherwise the challenger returns dk <- IC(mpk, msk', id). 5. Guess. Finally, the adversary halts and outputs b', its guess of b. We define Adv$RE if Adv - (k) = Pr[b = b'] - 1, and say that IB'E is a 4-RKA secure IBE scheme (k) is negligible in k for all Athat run in time polynomial in k. Constructions of <D-RKA Secure Primitives 9 We will show that a 4-RKA and 4-ICR PRG is a particularly strong starting point, leading to a construction of any cryptographic primitive from such a PRG; in our language, this is the containment of RKA[PRG] in RKA[P] for all other P that we consider. To do this, we first show RKA[PRG] C RKA[Sig], building a tamper-resilient signature scheme from any D-RKA and 4ICR PRG. Then we will generalize this result to use any 4-RKA and f-ICR PRG to build a tamper resilient version of any of the other primitives we consider. We also show that our constructions of a 4-RKA secure signature satisfies an even stronger notion of security where the adversary cannot forge for any tampered key, and not just the original one. Additionally, we give two positive results based on IBE, showing that previous constructions of a PKE with CCA security and of a signature scheme based on IBE maintain 9.1 4-RKA security. Using <D-RKA PRG to Construct <}-RKA Signatures To build high level primitives resilient to tampering, we will start with a normal secure instance of that primitive. The adapted security notions of the RKA model allows an adversary to obtain information not only based on the original secret key, but also tampered versions of the secret key. To build a D-RKA secure primitive, we will need to ensure that information obtained based on tampered secret keys gives the adversary no additional ability to break the security of the original primitive. 50 We will give a general method to construct any higher level primitive from a <b-RKA and <ICR PRG. Every higher level primitive has a key generation algorithm to generate a secret key (and perhaps additionally a public key) from randomness. Instead of storing the secret key of the original scheme, the new tamper resilient primitive should instead store a seed for the PRG. When the secret key is needed, the PRG is used to generate randomness to feed into the original key generation algorithm, generating the secret key freshly each time it is needed. If the seed has been modified by a #c <b, the PRG will produce an output that is indistinguishable from random, and so the secret key generated will look as if it was generated with fresh randomness, and will give no information about the original scheme. To explore this idea in detail, we will formally define the construction in question and give the necessary security reductions for <b-RKA Signatures. From <b-RKA PRGs to <b-RKA signatures. We will show containments of the form RKA[PRF] C RKA[P] for a range of primitives P by showing that any <b-RKA and <b-ICR secure PRG can be used to build <b-RKA secure P. Under the assumption that a <D-RKA PRF has an identity fingerprint, we can use it to build such a PRG, giving the desired result. Construction 9.1 [A <b-RKA Signature Scheme] We start with a <b-RKA and <h-ICR PRG TRg = (IC,g) with associate output length given by r(.), and a normal-secure signature scheme DS = (KC, S, V), such that the output length r(.) of the PRG is also the number of coins used by 1C. We construct a new signature scheme DS = (IC', S, V), with algorithms defined as follows: 1. Keys: Pick a random seed for the PRG for the new signing key, K <- k(1k). To generate the verification key, let (vk,sk) <- A(g(K)) be the result of the original key generation algorithm with coins from g(K)- the verifying key remains ok. (Key sk is discarded.) 2. Signing: To sign message m with signing key K, recompute (k,sk) <- A(g(K)), and then sign m under S using sk. 3. Verifying: Just as in the base scheme signature scheme, verify that o- is a signature of m under vk using V. Note that <b is compatible with the space of keys for DS since this is also the space of seeds for 51 the PRG. We note that our construction has the advantage that the form of the public key, signatures, and the verification algorithm all remain unchanged from that of the original base signature scheme. Thus our construction gives minimal changes to software, making it easier to deploy than a totally new scheme. Creating a signature in the new scheme now additionally requires evaluation of a <D-RKA-PRG, but in practice this can be instantiated with any efficient block cipher. However, creating a signature also requires running the key generation algorithm of the base signature scheme which might be expensive. We will prove that DS inherits the <b-RKA security of the PRG. The intuition here is very simple. When an adversary attacking DS makes a signing query (#, m), the signature of m will either be under the original signing key, or will look like a signature generated with an independent and randomly generated key. Since the signing key of our new signature scheme is the seed of the <b-RKA PRG, any modification of the signing key will generate #(K) which looks like fresh randomness; since the output of the PRG is used to generate a signing key of the original signature scheme as using coins 9(#(K)), this will look like a freshly randomly generate signing key, independent of the original scheme and giving no additional information to the adversary. There are, however, technical difficulties in the proof. In our reductions, we construct an adversary B against the <b-RKA security of the PRG from any adversary A against the security of the new signature scheme. The standard way to construct this is for B to guess it has access to a real oracle when A succeeds in a forgery, and to guess it has access to a random oracle B when A fails. However, in order for B to tell when A succeeds, it needs to know when the tampered key of the signature scheme is unchanged, and its unclear how to do this without access to the key! We overcome this property using the <b-ICR security of the PRG, which bounds the probability that an adversary can query a # in <b such that # modifies the seed but not the output of the PRG. Theorem 9.2 Let signature scheme DS = (P with a (b-RKA secure and (b-ICR nature scheme DS = (7, KSV). P, C', S, V) be constructed as in construction 9.1, secure PRG PG = (P, Then DS is a (-RKA 52 k, g, r), and with a normal-secure sig- secure signature scheme. Proof: Given an adversary A mounting an attack on the <}-RKA security of DS, we construct adversaries P, S and C such that for every k Advsigk eN (k) < Adv r (k)+ -Adv (k) + Advicr (1) (k), proving the theorem. In order to make our analysis, we introduce three games for A. In Game 0, the A will receive correctly formed signatures from our signature construction 9.1. Game 0 - Go 1. Setup Phase. The challenger generates the signing key for the signature scheme, which is a seed for 'PG, as K - C(1k), initializes T[K] <- g(K), and then uses the key generation of the original signature scheme 'DS as (vk, sk) <- JC(T[K]) to generate the verification key vk. The challenger also initializes the set of disallowed messages as M <- 0, and sets a boolean variable bad to false. Finally, the challenger returns the verification key vk to A. 2. Query Phase. The challenger is responsible for answering A's adaptive queries 0S,4 (, ). To do this, the challenger computes the tampered signing key as K' +- <O(K). If T[K'] is undefined, T[K'] 4- g(K'), and the challenger computes keys for the original signing scheme using randomness from PRQ as (V',T') +- IC(T[K']), and signs m with a 4- 3(sk', m). If the signing key was unmodified, with K' = K, m is added to the set of disallowed messages with M <- M U {im}. If K' 5 K but T[K'] = T[K], the challenger sets bad <- true. Finally, the challenger returns the signature a in response to A's oracle query. 3. Finalize. When A halts and outputs a potential forgery (m*, -*), the game returns 1 if the signature verifies and m* V M and 0 otherwise; more formally, the game returns ((V(vk, m, a) = 1) A (m V M)). Game 0 is equivalent to the security game for a <b-RKA signature scheme for our construction DS, 53 and so Advsr (2) (k) = Pr[GA 4 1]. However, Game 0 requires the challenger to add messages to the disallowed set when K' = K, but the challenger doesn't have access to K! Game 1 will instead add messages to the disallowed set when T[K'] find # = T[K]; we use the 4-RKA security of the PRG to bound the probability that A can $ such that for K'= #(K), T[K'] = T[K] yet K' K. In Game 1, the A will receive correctly formed signatures from our signature construction 9.1. Game 1 - G1 G1 is the same as Go, except in the query phase, where a queried message m is added to the set of disallowed messages with M <- M U {m} when T[K'] = T[K], instead of when K' = K. An algorithm with oracle access to OMG,' can perform the role of the challenger for the D-RKA adversary of the signature scheme in Game 1. Note that Go and G1 only differ when the P-RKA adversary of the signature scheme makes a query to # such that T[K'] = T[K] yet K' 0 K. We construct adversary C against the <D-ICR security of 'PRG by having it serve as the challenger in Go; whenever the flag bad is set to true, C breaks the <k-ICR security of 'PRG. Thus, Pr[GO ]< Advic ,,(k) + Pr[G1I4 (3) ] Game 2 differs from Game 1 in that A will receive signatures created using true randomness instead of the output of the 'PR. Differences in Game 2 from Game 1 are boxed. Game 2 - G2 1. Setup Phase. The challenger generates the signing key for the signature scheme, which is a seed for 'RG, as K <$ (1k), initializes T[K] 4- {0, 1}r(k), and then uses the key generation of the original signature scheme DS as (vk, sk) +- C(T[K]) to generate the verification key T. The challenger also initializes the set of disallowed messages as M <- 54 0. Finally, the challenger sends the verification key k to A. 2. Query Phase. The challenger is responsible for answering A's adaptive queries for signatures OS,4 (#, m). To respond, the challenger computes the tampered signing key as K' <- #(K). If T[K'] is undefined, T[K']+- {0, 1}"'(), and the challenger computes keys for the original signing scheme as (V', ;') <-- J(T[K']), and signs m with o - S(Tk', m). If the signing key was unmodified, with K' = K, m is added to the set of disallowed messages with M <M U {m}. Finally, the challenger returns the signature o to A. 3. Finalize. When A submits a potential forgery (m*, *), the game returns 1 if the signature verifies and m* V M and 0 otherwise; more formally the game returns ((V(ok, m, o) 1) A (m M)). First we use any adversary A against the signature scheme to construct P which attacks the security G, of the 'PTg. P receives either oracle access to either a real instance of or to a random one; P will interact with A so that in the real case, it plays Game 1 with A, and in the random case plays Game 2 with A. P generates randomness R by querying the TPRG oracle with ID the identity function as R $ GEN(id), and uses this to create a verification key for DS as (vk,sk) <- JC(R), sending vk as the 0. verification key to A. P initializes the set of disallowed messages M <- P must then answer adaptive signing queries from A of the form (#, m). P first obtains R' <- GEN(#), then uses this as randomness to run (vk', ') <- IC(R'). P uses the resulting signing key T' for the original signature scheme DS to sign m as o- S(T',m), returning signature o- to A. If # = ID, then m is added to the set of disallowed messages as M <- M U {m}. When A returns a message and signature (m*, o-*), adversary P returns 1 if (V(vk, m*, o-*) = 1) A (m 0 M) and 0 otherwise. In the case that P is in the real game, the verification key and all signatures given to A are computed using values from the real PRig as in Game 1; in the case that P has access to the random game, the verification key and all signatures given to A are computed using a random value for each value of 'P1g seed, as in Game 2. The remaining challenge for P is to be able determine whether the 55 the forged message m* is in M, the set of disallowed messages. Messages are added to M if signed with the original signing key, but P does not have access to the 'Pfg seed that is the signing key for the signature scheme for A. To solve this problem, we use the assumption that <D is claw-free this guarantees that K' (No other # can have = K only when #(K) = # = ID, so m is added to M only for queries where #= ID. K since ID(K) = K, and that would violate the assumption.) This analysis yields Adv () (4) --> 1] - Pr[Gi -> 1], Pr[G computed as the difference in probability of returning 1 in the real and random games for P. To continue in our analysis we use the adversary A attacking the RKA-security of signature scheme DS to build an adversary S against the normal security of the original signature scheme DS. S receives verification key vkfor the original signature scheme. S then generates seed for the 'PRg as K - /C(1k), which will serve as the signing key for DS. S sends A the verification key vk. S responds to adaptive signature queries (#, m)from A by first computing K' = S uses oracle access to get signature a T[K'] + {o, 1}r(k); for K' # <- SIGN(m). If K' = K, For K' , K, if T[K'] is undefined, S sets K, S uses T[K'] as randomness for 4- 5(sk', m). and signs m with the resulting signing key as a #(K). K to compute (vk', sk') - C(T[K']) S returns the generated signature a to A. When A submits forgery (m*, o-*), S submits this also. Note that S is able to play Game 2 properly with A. The parameters presented to A have the proper distribution, since they are composed of independently generated parameters for the 'PTg and base signature scheme DS. Each tampered seed K' = #(K) accesses a truly random value T[K'] to generate a signing key of the original scheme DS to answer signature queries; this is even true when # = ID, in which case signatures are generated from S's access to a signature oracle, which uses a signing key of the base signature DS created with true randomness. Finally we note that since <D is claw-free, only yeild #(K) # = ID leaves the seed of the PRG unmodified, so no other # will = K. A succeeds when (V(vk, m*, o*) = 1) and (m* g M). Since S and A have the same value for ok, (V(vk, m*, a*) = 1) will be true for S exactly when it is true for A. Moreover, m is added to M 56 for A when it queries (ID, m); since S makes queries to its signature oracle only when # = ID, m is added to M for S exactly when it is added to M for A. Thus S will succeed in creating a forgery for DS exactly when A succeeds in creating a forgery for DS in Game 2, yielding Advsgrk(k) = Pr[G2 ] (5) To conclude our proof, we combine equations 2, 3, 4, and 5 progressively to give Adv rj(k)= Pr[GA = Ady 1] ,0 ,(k) + Pr[G P 1] = Adv'gC,.(k) + Adv(k) + Pr[G a 1] = Advg,c,D (k) + Adv ,(k) + Adv sk(k), proving equation 1 as desired. I Corollary 9.3 Under the assumption that 4-RKA secure PRF is also a (b-IDFPsecure PRF, RKA*[PRF] c RKA*[Sig]. Proof: Using the construction in Proposition 7.8, we can build a <b-RKA and <b-ICR secure PRG from any <b-RKA and <b-IDFP secure PRF. Using Theorem 9.1, we can in turn use this PRG and a normal secure instance of a signature scheme to build a <b-RKA secure signature scheme. I Now that we have shown how to build a <b-RKA secure signature scheme, we generalize the above construction. Construction 9.4 [ <b-RKA Primitives from <b-RKA and <b-ICR PRG] Let P = (Cp(-), 91(-),.. be any secure cryptographic primitive, where each algorithm 57 fi . , gm(), depends on the secret key sk, and fi(sk, .)'.. each algorithm gi does not. Without loss of generality, key generation outputs both a private and a public key, and all algorithms run in time polynomial in k. Let 4-RKA and 4-ICR PRG PRG = (KG, 9) with associate output length given by r(k), such that the output length r(k) of the PRG is also the number of coins used by IC(1k). We construct P' = (K'(-),g ),.. ., gm(.), f(sk,-),.. .,f'(sk, -)) as follows: * KCI(lk) generates secret key sk <-- KIPRG(1k), and then takes the public key obtained by running the original key generation algorithm on the psuedorandomness produced by g evaluated with sk, as (pk, -) * +- Kp(l1; 9(sk)); the returned key pair is (sk,pk). fi(sk, -) first generates (pk, skp) <- Cp (1k; g(sk)), and then returns fi(skp,). e All g'(.) = gi(-); algorithms that do not use the secret key are unchanged. Note that 4) is compatible with the space of keys for P' since this is also the space of seeds for the PRG. Theorem 9.5 Let cryptographic primitive P' = (K'(), g'(.),. . .,g9m(.), f(sk,),.. .,f' (sk, -)) be (P, K, g, r), constructed as in construction9.4, from a (b-RKA secure and '1-ICR secure PR G'P9Lg and from any normal secure instance of the cryptographicprimitive P = (p(.), gi(),. .. , m), f1(sk,-), Then P' is a tD-RKA secure instance of P. The proof is a generalized version of Theorem , and we omit it here. 9.2 Strong <b-RKA Security We suggest and use an even stronger notion of primitives. The security game for 4-RKA security for signature schemes and other 4-RKA secure signatures requires that forgery is difficult with respect to the original verification key; we note that our Construction 9.1 actually possesses an even stronger property, namely that forgery is difficult with respect to the public verification keys corresponding to any tampered secret key. We will use signature schemes to demonstrate this strong security requirement, and will use it in other proofs. 58 . .. , fn(sk, In the general definition of a signature scheme the public verification and the secret signing keys are produced together by the (randomized) key generation algorithm. However, in most instantiations of signature schemes, the secret signing key is produced first with randomness and then the public verification key is generated as a deterministic function of the secret key. We call any signature scheme with this property separable,and we call the algorithm that deterministically produces the public key from the secret key the public-key generator. We note that one can convert any signature scheme into a separable scheme by storing randomness for the key generation algorithm as the new secret key. Definition 9.6 (Separable Signature Scheme) A signature scheme DS = (C, S, V) is separable if there is a deterministic algorithm T, called the public-key generator, such that for all k GN the output of the process (vk, sk) < k/(1k) ; vk <- T(sk) ; Return (vk, sk) is distributed identically to the output of A(lk). We will now give the security definition for a strongly <b-RKA secure signature scheme. Here, the adversaries potential forgery includes not only a message and a signature, but also a RKD function #(sk), #. A forgery is valid if it passes verification with the verification key vk derived from and the adversary has never received a signature on this message generated with a signing key sk' that gives vk. This might seem odd since the adversary might not know the public key, but without loss of generality we can add the public verification key to the signatures. We note that this definition of a forgery is more restrictive than that of normal 4-RKA security; one can move to the less restrictive form under a general (not just identity) fingerprint assumption. Definition 9.7 (Strongly <-RKA Secure Signature Scheme) Let DS = (C, S, V) be a separable signature scheme with public-key generatorT. The algorithms must work in the same way and satisfy the same correctness properties as a standard signature scheme. We define the following security game is parameterized by a security parameter k and a (b that is compatible with DS, and is defined for an adversary A. 59 1. Setup Phase. The challenger generates keys for the signature scheme as (vk, sk) $ K(1k), and initializes the set of messages disallowed for forgery as M <- 0. Finally, the challenger gives the public verification key vk to adversary A. 2. Query Phase. A is given adaptive access to Os,'. by first computing sk' <- OsA(4, m) p(sk). The challenger computes the associated pub- lic key for the tampered secret key as vk <- T(sk'). o - The challenger answers A's queries The challenger computes signature S(sk',m), and adds this to the set of disallowed forgeries as M <- M U {(vk,m)}. Finally, the challenger returns the signature o- to answer A's query. 3. Forge. When A halts, it outputs (p, m, o-). For A's output (p,m,o-), we define Advi,-(k) true) A ((vk, m) g M)]. =Pr[vk <- T(p(sk)) :(V(vk,m,-) We say (DS, T) is strongly '1-RKA secure if this advantage function is negligible in k for all A that run in time polynomial in k. To show that our signature scheme Construction 9.1, is strongly G-RKA secure, we first note that this construction is separable. Recall that in this scheme, the secret signing key is a seed for a 4-RKA PRG, which is expanded and fed into a signature scheme key generation algorithm; the verification key is obtained from the signature scheme key generation algorithm, and so can be computed from the secret key. This is true regardless of whether the original signature scheme is separable. Theorem 9.8 Let separable signature scheme DS = (K', S, V) be constructed as in Construction 9.1 from a 'I-RKA PRG PRG = (K, 9) with output length given by r(k), and normal-secure sig- nature scheme DS = (K, S, V). Let T be the associated public-key generation algorithm for DS. Then (DS, T) is a strongly 1-RKA secure signature scheme. Proof of Theorem 9.8: Recall ID is the RKA specification consisting of just the identity function, so that a ID-RKA secure signature scheme has normal signature security; by assumption, DS is such a scheme. Given an 60 adversary A making qig signature oracle queries and mounting a <D-RKA on the strong security of DS with public-key generator T, we construct adversaries P, S such that for every k Advssg D(k) < Adv (k) + (qsig + 1)Adv EN (k), which will prove the theorem. We define two security games for an adversary A against the strong <b-RKA security of our constructed signature scheme. Game 0 and Game 1 - Go and G 1 Differences in Game 1 from Game 0 are boxed. 1. Setup Phase for Go, G1 . The challenger generates a seed for the PRG as K stores its initial value as T[K] <lowed for forgery as M <(vk, sk) <- 0. < 1C(lk), and g(K). The challenger also initializes the messages disal- Finally, the challenger generates the public verification key as kC(T[K]), and returns (vk) to A. 2a. Query Phase for Go. To answer A's adaptive queries 0SD (#, m), the challenger first computes the tampered secret key as K' +T[K'] <- #(K). If T[K'] = I then the challenger computes g(K'). The challenger generates the signature by first computing keys for the orig- inal signature scheme as (vki, si) <- K(T[K']), and then computing o- S(ski, m). The challenger adds this to the list of disallowed forgeries as M <- M U { (vki, m) }, and finally returns signature o- to A. 2b. Query Phase for G1 . To answer A's adaptive queries 0"'*(#, m), the challenger first computes the tampered secret key as K' <T[K'] 4- {0, 1}r(k). #(K). If T[K'] = I then the challenger computes The challenger generates the signature by first computing keys for the original signature scheme as (vki, ski) <-- C(T[K']), and then computing o 4- S (ski, m). The challenger adds this to the list of disallowed forgeries as M +- M U { (vki, m) }, and finally returns signature o- to A. 61 3. Finalize for Go, G1 . Eventually A halts and outputs (#, m, u). sk' <- #(sk) and vk <- The challenger computes T(sk'); the game returns ((V(vk, m, o) = 1) A ((sk', m) 0 M)). The difference in the two games here is small. Where game Go correctly uses the <D-RKA PRG to generate randomness for key generation, game Gi instead uses true randomness. We construct adversaries P, S such that for every k E N true) - Pr[G Pr[G^0 == 1 Pr[Gf A qsig true] < AdvG,(k) true] < Advig-r (6) (7) (k). DS,S,ID Together with Adv 4)(k) = Pr[GA > true], this gives the desired result. Adversary P against the PRG runs initializations M <- 0 K +_ /C(1k) ; T[K] +-- 9 (K) ; (Tk, Tk) +- )C(T[K]). P then runs A on inputs (vk), and answers A's signing oracle queries 0SD(#, m). by first computing the tampered seed as K' <T[K'] <- #(K). P does this If P has T[K'] = _L then it generates g(K'). P generates keys for the original signature scheme as (vki,ski) +- JC(T[K']), generates the signature as o <- S(ski, m), and adds to the set of disallowed messages for forgery as M - M U {(vki, m)}. Finally, P returns signature o- in answer to A's query. When A halts and outputs (#*, m*, o-*), P tests whether this is valid by generating tampered key K* <defining T[K*] <- 4(K), g(K*) if necessary, and finally computing (vk*, sk*) <- )((T[K*]); adversary P returns 1 if (V(vk*, m*, o,*) = 1) A ((vk*, m*) V M) and 0 otherwise. We note that P correctly plays Go with A. 62 Adversary S against the base signature scheme DS receives vk, a public key generated for the original signature scheme, and access to a corresponding signature oracle. S simulates game G1 by generating a random signature scheme for all but one distinct tampered seed generated by the # in A's queries. Let qsig(k) be an upper bound on the number of signing queries made by A. With probability 1/(qsig + 2), S can predict which # and corresponding key A will select for its forgery, and S will imbed its signature scheme of interest here. S begins by initializing the set of disallowed messages for forgery as M <- 0, generating a seed for the PRG as K I jC(1k), setting T[K] +- 9(K), and setting the counter of unique seeds encountered as c <- 1.S then generates x 4- [0, qsig]. If x = 0, S will embed its signature scheme in the untampered scheme A can access, setting vk <- vk and Ko <- K. Otherwise, for larger x, S selects randomness s 4- {0, 1}r(k) and uses it to generate (vk, sk) <- C(r; s). S then gives A verification key vk, and answers A's adaptive queries to the signing oracle To do this, S first computes the tampered seed K' <- #(K). 0 S''"(5im). If T[K'] = - this is the first time S has encountered this seed, so S increments the counter as c <- c + 1, and sets T[K'] <- g(K'), and if c = x embeds the challenge here by setting Ko <- K'. If the tampered key K' = K 0 , S answers with signatures from its own signing oracle, with oOS(m), and adds M +- M U {(vk, m)} to the set of disallowed forgeries. Otherwise, S uses a stored, randomly generated signing key, setting (ki, Tki) <- A(T[K']), and computing a adding to the set of disallowed forgeries as M <- M U {(vki, m)} . 4- S(ski, m), In either case, S returns a to A to answer the query. When A halts and outputs (#*, m*, o*), S halts and returns (m*, a successful forgery, we compute K* <compute (k*, sk*) If #* <- #(K), a*). To find whether A has created define T[K*) <- 9(K*) if necessary, and finally A(T[K*]); A's forgery is successful if (V(vk*, m*, o*) yields a previously used K*, there is a 1/(qsig = 1) A ((vk*, m*) V M). + 1) chance that vk* matches S's vk, and in this case S will be successful when A is. Otherwise if S never used K*, vk* is distributed as a verification key for a fresh instance of the signature scheme, and A succeeds with probability of at most breaking the original signature scheme. 63 I Strong Security For Other Primitives. The analogous strong security definition also exists for <D-RKA CCA public key encryption. In this definition, the adversary selects not only two messages mo and ml, but also a 4 E <D, and then receives the encryption of one of the two messages under the related key derived using 4; the adversary is said to succeed if it can guess with non-negligible advantage which message was encrypted. The generic construction that transforms a secure CCA asymmetric encryption scheme using a <D-RKA-PRG to generate the secret key before each use gives this strong security definition. We omit the proof here, but it is very similar to the proof of strong security for the signature scheme. Intuitively, each distinct 4 E <D cause the <D-RKA-PRG to output values indistinguishable from random. When this pseudorandomness is used to generate the secret key, it appears as if it was a new randomly generated instance of the primitive. Since the adversary can only interact with polynomially many of these, we can guess which one they will choose, and embed the standard <D-RKA security challenge here. 9.3 <h-RKA Secure Signatures from 4-RKA Secure IBE Schemes As noted by Naor [BF03], any IND-ID-CCA secure IBE gives a public key signature scheme. We show that RKA[IBE] C RKA[Sig] by proving the Naor transform reserves <D- RKA security. Construction 9.9 Given an IBE scheme FB'E = (M, C, E, D), we construct signature scheme DS = (IC,S, V) as follows: * I(1k) first generates (msk, mpk) <- M(lk), and returns these as signing and verification keys (sk, vk) = (msk, mpk). * S(sk, m) treats m as a user ID and returns that user IDs secret key generated as C(vk, sk, m). e In the most general case verification V(vk, m, o) is performed by encrypting a random message in the IBE scheme using the m as the user ID, and seeing whether the resulting ciphertext decrypts correctly under the decryption key o. 64 The following says DS inherits the D-RKA security of IBE. Theorem 9.10 Let signature scheme DS = (IC,S, V) be constructed as in Construction 9.9 above from <b-RKA IBE scheme IBE = (M, k, E,D). Then 1S is 1-RKA secure. When the adversary against the signature scheme makes queries to the signing oracle, the signatures can be simulated using the key generation oracle for the IBE scheme. The delicate point here is that the correctness of this simulation relies on the fact that the challenge identity (in this case, the message to be signed) has not yet been defined, which means that the two procedures fail in exactly the same cases. Once the signing adversary outputs its forgery with message id and signature dk, we pick two random k-bit messages mo, mi to generate a challenge ciphertext C*. We then decrypt C* using D with decryption key dk and return 0 if we get back mo and 1 otherwise. Proof: Correctness of the signature scheme follows from the correctness of the IBE scheme. We reduce 4-RKA security of the signature scheme to the D-RKA security of the IBE scheme by constructing an adversary B against the <D-RKA security of IBE from any adversary A against the ,D-RKA security of DS. B receives a master public key mpk of the IBE scheme, and forwards it to A as the verification key vk of the signature scheme. B answers A's adaptive queries 04 When A halts and outputs forgery (m*, -*). (#, m) by returning o- - 0K4 (4, m). In response, B submits m* as the user ID and random messages mo, mi that A has never queried to be used to generate its challenge. B receives ciphertext C = E(mpk, m*, mb) for a hidden random challenge bit b. B decrypts the ciphertext as m = D(mpk, o-*, C); if m = mo then B guesses b' = 0, and otherwise B guesses b' = 1. By definition of a forgery for A, the submitted o-* should correctly decrypt a ciphertext of a random message generated with identity m*. When A correctly decrypts C that is the encryption of either random message mo or ml, B correctly identifies b, except perhaps when mo = mi1 . Thus Adyv-r (k) > Adv"%,j (k) - F, and so the advantage of B will be non-negligible when A's advantage is non-negligible. 65 I 9.4 <D-RKA Secure PKE-CCA from We show the containment RKA[IBE] c <D-RKA Secure IBE RKA[PKE-CCA] by showing that the construction of Boneh, Canneti, Halevi, and Katz [?] preserves RKA security. Construction 9.11 [Based on Boneh, Canneti, Halevi, and Katz [?]] Let I6'E = (M, K, 8, D) be any <b-RKA IBE scheme and let DS= (K, S, V) be any a regular-secure strongly-unforgeable signature scheme. We construct a public key encryption scheme 2P7AE with associated security parameter k as follows: " Keys: Pick (mpk, msk) <- M(1k), and use mpk as the public key and msk as the secret key. " Encryption: To encrypt a message m under mpk, generate a signing-verification key pair (v/, sk) <- K(1'). Then encrypt m for the identity id =v/ by computing c - (v, m) and sign c under S using sk to get a signature i. The ciphertext is (c, vk,). " Decryption: To decrypt a ciphertext (c, v/c,5 ), first verify that : is a valid signature on c under vk, and output I if verification fails. Then compute the user secret key for the identity id = vk, and decrypt c using that key. Since the form of keys for PRE is the same as that for IB'E, <> is compatible with -PRE. Theorem 9.12 Let the PKE scheme PRE = (K', 8', D') be constructed as above in Construction 9.11, using a (b-RKA secure IBE scheme IB'E = (M, K, 8,D) and normal-secure strongly- unforgeable signature scheme DS = (K, S, V). Then -PREis (b-RKA secure. The proof is an adaptation of the original proof for the non-RKA version of this theorem. The additional difficult is to show that RKA games for IBE and PKE-CCA will cooperate, because they each have rules for disallowing certain queries; in IBE the adversary is disallowed to extract a key for user ID used to issue the challenge ciphertext, and in PKE-CCA the adversary is disallowed to 66 decrypt the challenge ciphertext C*, but both rules only hold under the original unmodified secret key. Proof: The proof will proceed through a sequence of games, Game 0, Game 1, and Game 2. Games 0, 1, and 2 - Go, G1 , and G2 Each game is designed for an adversary A against the <D-RKA security of 'P9(E. Differences in Game 1 from Game 0, and in Game 2 from Game 1, are boxed. 1. Setup Phase for GO, G 1, G2 . The challenger generates a key pair for the IBE scheme as (mpk, msk) +$ M(1k). The challenger also selects a challenge bit b +- {0, 1}, and initializes Finally, the challenger returns mpk to the adversary A as the public key of the C* <- I. PKE scheme. 2a. Query Phase for Go. During this phase, A may choose to run the Issue Challenge phase and then return to this phase. A is allowed to adaptively query O,4 (g, (c, vk, a)). To answer the query, the challenger first computes the tampered key as msk' <((msk' = msk) A ((c, ok, #(msk). If ) = C*)), then this the challenge ciphertext and the key used to generate it, and so the challenger returns I to this query. If V(ok, c, 5) = false, this is an improperly formed ciphertext, and so again the challenger can return I. these conditions are true, the challenger computes dk <- If neither of IC(msk',vk), and uses this to find M <- D(dk, c); the challenger answers A's query by returning M. 2b. Query Phase for G1 . During this phase, A may choose to run the Issue Challenge phase and then return to this phase. A is allowed to adaptively query 0'D,1(#, (c, query, the challenger first computes the tampered key as msk' <((cvk, ) #(msk). , )). To answer the If ((msk' = msk) A = C*)), then this the challenge ciphertext and the key used to generate it, and so the challenger returns I to this query. If V(vk, c, ,) = false, this is an improperly formed ciphertext, and so again the challenger can return -. In this game, the challenger adds an additional check: if (vk = vk*) A ((c,3) / (c*, *)), then the challenger sets flag bad <- true, and returns I to A. 67 If none of these conditions are true, the challenger computes dk <- IC(msk', vk), and uses this to find M <- D(dk, c); the challenger answers A's query by returning M. 2c. Query Phase for G2 . During this phase, A may choose to run the Issue Challenge phase and then return to this phase. A is allowed to adaptively query 0D,4(4, (c, vk, b)). To answer the query, the challenger first computes the tampered key as msk' <- #(msk). If ((msk' = msk) A ((k = vk* )), then the challenger returns I to this query. If V(vk, c,5) = false, this is an improperly formed ciphertext, and so again the challenger can return -. If none of these conditions are true, the challenger computes dk <- C(msk',vk), and uses this to find M <- D(dk, c); the challenger answers A's query by returning M. 3. Issue Challenge for Go, G1 , G2 . Here, the adversary outputs two message mo and m 1 with mo =mil. To encrypt mb, the challenger computes (k*, k*) +* C(1k), c* 4 E(, mpk, and finally Z* <- S(k*, c*). Finally, the challenge ciphertext is C* k*, mb), (c*, v*, i*), which the challenger returns to A. 4. Finalize for Go, G 1 , G 2 . When A halts it must output a guess b' of the hidden bit b. Game Go implements the security game of 'PR0E with A, so we have Advecc(k) =Pr[G^] - . Game G 1 has the challenger add an additional before decrypting for A: now if (c,i) 5 (c*, i*), the game sets bad to true and responds to the query with 1. k = T* and Since G 1 and Go are identical until bad, we have Pr[GA] - Pr[G ^] < Pr[Ei], where Ei is the event that G1 sets bad. We now construct an adversary B that breaks the strong unforgeability of 'DS with probability Pr[E1]. B takes as input (vk*), and starts by selecting (mpk, msk) 4- IC(lk). B runs A with public key (mpk), and simulates A's call for a challenge exactly as specified in G 1 , using vk* when called for and its own signing oracle to generate -* on c*. 68 B also simulates A queries for decryption exactly as specified in G1. B notes the first query O," (#, c, vk, Z) that triggers bad, and then B outputs (c, ) as its forgery. This is a valid forgery for B because this query must have passed the validity check V(w, vk, c, i) (otherwise the B would have returned before going to set bad), and we have that at (c, 5) $ (c*, a*) by the check immediately before bad is set. Game G2 rearranges some of the validity checks the challenger performs before decryption, but but these changes don't affect oracle responses since the same ciphertexts end up being rejected in either game. We have Pr[GA] = Pr[GA] Now we show that an adversary with winning G 2 with significant advantage can be used to break the <b-RKA security of PB'E. We construct A' such that Advbr (k) = Pr[G] 2 A' takes input (mpk) for the IBE scheme, and runs A with input (mpk) for 'PRJE. A' simulates the challenge that A requests with (mo, mi) as follows: 1. A' generates (vk*, k*) <* yC(1k), and requests its own challenge c* with (k* no, Mi). 2. A' signs c* using sk*, generating 5* <- S(T*, c*). 3. A' returns challenge ciphertext C* =(c*, k*, *) to A. A' simulates answers to A's queries to Ovo(#, c,vk, Z) by computing a tampered key with its key derivation oracle, as msk' <- O ,s(,vk*). If (V(vk, c, ) = false) then A' returns I, since this is not a valid ciphertext. Otherwise A' computes M <- D(msk', c), and returns this to A. A' runs A until it A halts, and then A' outputs whatever A outputs. To complete the claim we need to argue that A' properly simulates G2 for A. The only subtlety is in how A' handles decryption queries are handled. But we observe that A"s key derivation oracle is performing exactly the same first two checks that G2 performs before the challenger returns a decryption, and all other ciphertexts are correctly decrypted, and so A' performs as claimed. 69 The proof is completed by collecting the relationships between games Go, G 1 and G 2. I Separations between RKA Sets 10 After giving several constructions of <h-RKA secure primitives from other <D-RKA secure primitives, we will now show that in some cases this is actually impossible. We give negative results of the form RKA[P1] g RKA[P 2 ] by showing there exists a <( for which <b E RKA[P 1 ] but <k g RKA[P1 ]. We reach these separations using two different techniques. One is based on the class Cnst of RKD functions that set keys to a constant . We show, for example, that any signature scheme is Cnst-RKA secure, since an adversary could simulate signatures made with constant keys itself; however, no PRF can be Cnst-RKA secure since a PRF evaluated with a fixed key is easily distinguished from a random function. Thus RKA[Sig] g RKA[PRF]. Another example use of this technique is to show RKA[PKE-CCA] g RKA[SE-CCA]. This is true because constant functions are fine for the first but, due to the RKA on the encryption oracle, not for the second. The second technique is to define pairs of keys, and define RKD functions that sometimes exchange one key in the pair for another depend on a bit of the original key; these are designed in such a way that there is a noticeable change in behavior for a <b-RKA attack on P 2 , yet the two keys are functionally equivalent under a <D-RKA on P1 . We use variants of the technique to show RKA[wPRF] g RKA[PRF], and also RKA[SE-CPA] g RKA[SE-CCA]. 10.1 Separating <b-RKA PRFs from <}-RKA signatures Since Corollary 9.3 shows that RKA*[PRF] ; RKA*[Sig], it is natural to consider whether the converse is also true- can one build a <D-RKA secure PRF from any <b-RKA secure signature scheme? It turns out the answer is no, which is expressed RKA*[Sig] Z RKA*[PRF]. This is proved by showing that there exists a <Dsuch that there exists a <D-RKA secure signature scheme, but for which no <D-RKA secure PRF can exist. We do this using Cnst, the class of RKD 70 functions that set the secret key to a fixed constant. We first show that all signature schemes are Cnst-RKA secure. Proposition 10.1 Let DS = (C, S, V) be any signature scheme with standard (non-tampering) security. Then DS is a Cnst-RKA secure signature scheme. Proof: We use any adversary A against the Cnst-RKA security of DS to build an adversary B normal security of DS, with Advig~ DrACnst > dsS,A,Cnst (k) against the against~k Adversary B receives a verification key vk for DS from the challenger, and receives access to signing oracle 0 S. For the reduction, B forwards vk to A. A should receives access to the signing oracle OS,Cnst. B must answer queries of the form * If # = #1D, B returns * Otherwise # = #c, 0 scnst (, m). o +- OS(m) from its own signing oracle. i.e. the RKD which maps all keys to the constant c. In this case, B first tests for the event that c is the hidden secret key: for an m' that B has not queried its signing oracle, B tests V(vk, m', S(c, m')); if true, B outputs (m', S(c, m')) as its forgery. If c fails to generate a valid forgery in this way, B correctly answers A's oracle query with S(c, m). If B has not already output a value, when A submits a potential forgery (m*, o-*), B repeats this and outputs (M, -). A's forgery is valid if it has not queried for a signature of m* under has never queried for a signature of m* under #s. But if A queried with signing key and creates a valid forgery. Otherwise, if A never queried (m*, #1D), #sk, #ID and B will have the B never queried its signing oracle for m* either, and this will be a valid forgery for B too. Thus B has a valid forgery whenever A does. I Next, we show that no Cnst-RKA secure PRF can exist. Proposition 10.2 Let 7 = (K, F) be any PRF; then 77 is not Cnst-RKA secure PRF. 71 Proof: We construct adversary A against the Cnst-RKA security of fJ: Or,Cnst A queries OTCnst(go, 0) (or ge for any valid when A is given oracle access to secret key c and any valid point in Dom(k)). If OF,Cnst (o, 0) = F(0, 0), A makes guess b' = 0 of the hidden bit, and otherwise makes guess b' 1. In the case that A is playing game PRFRand, orCnst(go,0) = F(0, 0) will only happen with probability Thus Advf 1(k) while in game PRFReal, it will happen with probability 1. (k) = 1- , and so 77 is not a Cnst-RKA secure PRF. I Corollary 10.3 RKA[Sig] g RKA[PRF]. Proof: Proof by Propositions 10.1 and 10.2. 10.2 I Other Relations Using Cnst Similarly to Proposition 10.2, no wPRF can be Cnst-RKA secure - even when the adversary can only access random points, the fixed function determined by evaluating the wPRF at a fixed key looks far from random. Additionally, no symmetric encryption scheme can be either Cnst-RKA CPA secure or Cnst-RKA CCA secure - in both cases this would allow the adversary to receive the message mb encrypted with a fixed key, which it can easily decrypt to determine the challenge bit b. We omit the proofs. Proposition 10.4 Let 7F = (K, .F) be any wPRF; then 97 is not Cnst-RKA secure wPRF. Proposition 10.5 Let SE = (C, &6,D)be any symmetric encryption scheme; then SE is neither Cnst-RKA CPA secure nor Cnst-RKA CCA secure. In addition to all signature schemes being Cnst-RKA secure, all PKE schemes and all IBE schemes are both Cnst-RKA secure as well. Here, the adversary only receives access to decryption under the secret key, but could easily simulate decryption under constant keys without oracle access. Again, we omit the proofs. 72 Proposition 10.6 Let PRAE = (k, 5, D) be any public key encryption scheme with standard (nontampering) security. Then PRE is a Cnst-RKA secure public key encryption scheme. Proposition 10.7 Let I'E = (M, C, 5,D) be any identity based encryption scheme with standard (non-tampering) security. Then IB'E is a Cnst-RKA secure identity based encryption scheme. Together, this yields a whole suite of relations - no primitive that can be shown to be Cnst-RKA secure can be contained in a primitive that can never be Cnst-RKA secure. This gives that none of Signature, PKE, or IBE schemes can be contained in PRF, wPRF, or SE schemes. Separating D-RKA secure PRFs from D-RKA secure wPRFs 10.3 Since wPRFs are a relaxation of PRFs, a family of functions that is a o-RKA secure PRF is also a D-RKA secure wPRF, and so RKA[PRF] C RKA[wPRF]. We will show that the converse fails to be true; in our set based notation, this is expressed as RKA[wPRF] g RKA[PRF]. In this case the constant RKD functions do not provide the separation since both primitives are insecure under these functions. Instead, we create RKD functions which help the attacker only if they can obtain different RKD functions evaluated with the same point in the domain of the function family, which happens only with negligible probability in the wPRF game. Proposition 10.8 RKA[wPRF] g RKA[PRF]. Proof: For K c {O, 1}* we let K- denote the string that is K with the first bit flipped. Let #j(K) return K if K[i] = 1 and Kthe collection of all otherwise. Additionally, we define #i, #flip, and #flip(K) to always return K. We let 4 be #ID. Let P2_= (K,7 ) be any PRF that is compatible with D with domain given by DomPRT (k) - we show that P2J is not a 4-RKA secure PRF. Let f(k) denote the length of keys for PRJ when the security parameter is k. 73 We now construct an adversary A against the <b-RKA security of 'P2RJ. A picks x at random from DomPW (k), and then queries 0' to compute yid - O-'N#1D,x). Then for each 1 < i < f(k) * (#j, x) and sets K'[i] = 1 if yi = Yid and 0 otherwise. (It is crucial that all A queries yi +- 0 queries use the same x.) If F(K,x) = F(K-, x), this will generate K' = K, and so A has recovered the key. Once it has the key, it can easily distinguish between game PRFReal and game PRFRand by making a few queries under #1D at random inputs and returning 1 if the results are consistent with K' and 0 otherwise. If F(K, x) = F(K-, x), meaning the functions under keys K and Kagree at x, then the attack will instead recover the string K' = 1 e(k) and not recover the key. We resolve this problem by knowing that #flip in <b: this, combined with the given <b-RKA security of PRF, ensures that the functions defined by keys K, K- look like random, independent ones. Thus, our adversary can simply return 1 if K' = 1e(k), meaning declare that the challenge bit was 1. Let zRF = (IC,.F) be a normal-secure wPRF and for simplicity assume that keys are random (k - 1)-bit strings. (Formally, this is assuming that K(1k) generates the uniform distribution on {0, 1}- for all k E N.) We now construct a <b-RKA secure wPRF zd!RF = (K,Y) based on any normal-secure zd f = (K, F). Key generation K returns a random k-bit string on input 1 k. The evaluation algorithm F(K, x) lets L be the last (k - 1)-bits of K and returns F(L, x). As a result, the functions F(K, -) and F(K -.) are identical. We reduce the <D-RKA security of zdRJ to the normal security of zdPIU: for any adversary A against the normal security of zudPIF, we build an adversary B against the <-RKA security of ; Adv ziRw such that Adv 0D' , B uses its own oracle access to get (x, y) for all # E <b, #(K) B(k)+neg(k) either returns K or K~, and ID 0w" '- (k) For B to answer A's oracle queries ( ), and returns (x, y). We note that Y agrees at these two values- thus for any K, z~fW(#(K), -) = wPRf(K, -) = zd'Pf(L, -), where L is the last (k - 1) bits of K - and so if B has access to the real zulP3Fin game wPRFReal, it correctly simulates A's queries in the game wPRFReal. If B instead has access to a truly random function in wPRFRand, B receives a truly random value from the range of the wPRF for each unique pair (x, L) of x in the domain and key L, where as A should instead receive separately generated random value for (x, 0 || L) and (x,1|1 L); 74 here B correctly simulates responses to A's queries in game wPRFRand except when A receives both (x, O|1L) and (x, 1|| L). Since the inputs to a wPRF are random rather than adversary-selected, the probability of a repeated input x in q queries is at most qDom (k)|, which is negligible since q must be polynomial in k and |Dom,,y(k)l is super-polynomial. Thus Advwprfr (k) ;> Adv"jka D(k) - neg(k), and so fPfR is I-RKA secure, since we have assumed that w P'F is a normal secure wPRF. 1 Separating 10.4 <}-RKA CPA SE from <D-RKA CCA SE We use a similar technique to show that RKA[SE-CPA] Z RKA[SE-CCA]. In this case the attack exploits the fact that the decryption oracle rejects if a query (#, C) results in (K', C) being in S, meaning that C was a challenge ciphertext created under K', and this can be made to happen depending on a certain bit of K so that the rejection leaks information about K that eventually allows the attacker to recover K. Proposition 10.9 RKA[SE-CPA] g RKA[SE-CCA]. Proof: e- {O,1}* we For K let K- K if K[i] = 1 and K- denote the string that is K with the first bit flipped. Let otherwise. We let <b be the collection of all #i, and #i(K) return #ID. First, we show that there exists a <D-RKA CPA secure symmetric encryption scheme. Let SE (K, E,D) be any CPA secure symmetric encryption scheme. We build a new SE = (]C, E, D) as follows: " AC(1k) selects a random bit c <*- {0, 1}, and returns c " E(K, m): let L K[2, 1K], and return E(L, m) " D(K, c): let L K[2, 1K1], and return D(L, c) 75 1|(1k) Note that E(K, -) is the same as E(K-, .), and D(K, -) is the same as D(K~, -). We reduce the <b-RKA CPA security of SE to the normal CPA security of SE. An adversary A of SE receives oracle access to 0 8 (mo, ml), and receives encryptions of either mo or ml. To answer oracle queries of adversary B of O' 0 8 (mo, mi). Adv (#i, mo, mi), A can correctly simulate the answer by returning When B correctly guesses the hidden bit, A does also. Thus Adv cZ-(k) ,~7d(k), = and SE is <b-RKA CPA secure. Despite the fact that we have built a <b-RKA CPA secure symmetric encryption scheme, no <b-RKA CCA secure symmetric encryption scheme can exist. The problem here is although D(#(K), .) might be simulatable by some function without tampering allowed as D'(K, .), the oracle actually depends on the value of the secret key in order to determine what ciphertexts are allowed for decryption, and so 0 D,) will not be simulatable by 0 D'. We complete the proof by building an adversary A against the <b-RKA CCA security of any encryption scheme SE = (1C, 6, D). C* is generated with yi 0 #1D(K) To begin, A generates C* <- O,'(#1D, mo, ml). Note that the original secret key. Then for each 1 < i < |KJ A queries D,(#i, C*) and sets K'[i] = 1 if yj = I and 0 otherwise. only return I if #i(K) = Note that ODA (#j, C*) will K, which occurs only if the i-th bit of K is 1. Once A is done, K' = K and A can decrypt C* as D(K', C*), and will always correctly guess b. I References [AH11] Benny Applebaum, Danny Harnik, and Yuval Ishai. Semantic security under related-key attacks and applications. In ICS, pages 45-60, 2011. [AK96] Ross Anderson and Markus Kuhn. Tamper resistance: a cautionary note. In Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2, pages 1-1, Berkeley, CA, USA, 1996. USENIX Association. 76 [AK97] Ross J. Anderson and Markus G. Kuhn. Low cost attacks on tamper resistant devices. In Security Protocols Workshop, pages 125-136, 1997. [AN95] Ross J. Anderson and Roger M. Needham. Programming satan's computer. In Jan van Leeuwen, editor, Computer Science Today, volume 1000 of Lecture Notes in Computer Science, pages 426-440. Springer, 1995. [BC10] Mihir Bellare and David Cash. Pseudorandom functions and permutations provably secure against related-key attacks. In CRYPTO, pages 666-684, 2010. [BDL01] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the importance of eliminating errors in cryptographic computations. J. Cryptology, 14(2):101-119, 2001. [BF03] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the weil pairing. SIAM J. Comput., 32(3):586-615, 2003. [Bih93] Eli Biham. New types of cryptoanalytic attacks using related keys (extended abstract). In EUROCRYPT, pages 398-409, 1993. [BK03] Mihir Bellare and Tadayoshi Kohno. A theoretical treatment of related-key attacks: Rka-prps, rka-prfs, and applications. In EUROCRYPT, pages 491-506, 2003. [BM84] Manuel Blum and Silvio Micali. How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput., 13(4):850-864, 1984. [Bov] E Bovenlander. Invited talk on smartcard security, eurocrypt 1997. [BS90] Eli Biham and Adi Shamir. Differential cryptanalysis of des-like cryptosystems. In CRYPTO, pages 2-21, 1990. [BS97] Eli Biham and Adi Shamir. Differential fault analysis of secret key cryptosystems. In CRYPTO, pages 513-525, 1997. [CPGR05] Jim Chow, Ben Pfaff, Tal Garfinkel, and Mendel Rosenblum. Shredding your garbage: Reducing data lifetime. In Proc. 14th USENIX Security Symposium, August 2005. 77 [DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography, 1976. [DPW10] Stefan Dziembowski, Krzysztof Pietrzak, and Daniel Wichs. Non-malleable codes. In ICS, pages 434-452, 2010. [DR02] The design of Rijndael: AES Joan Daemen and Vincent Rijmen. the Advanced Encryption Standard. Springer-Verlag, 2002. [GGM86] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to construct random functions. J. ACM, 33(4):792-807, 1986. [GL10] David Goldenberg and Moses Liskov. On related-secret pseudorandomness. In TCC, pages 255-272, 2010. [GLM+04] Rosario Gennaro, Anna Lysyanskaya, Tal Malkin, Silvio Micali, and Tal Rabin. Algorithmic tamper-proof (atp) security: Theoretical foundations for security against hardware tampering. In TCC, pages 258-277, 2004. [GM82] Probabilistic encryption & how to play mental Shafi Goldwasser and Silvio Micali. poker keeping secret all partial information. In Proceedings of the fourteenth annual ACM symposium on Theory of computing, STOC '82, pages 365-377, New York, NY, USA, 1982. ACM. [GOR11] Vipul Goyal, Adam O'Neill, and Vanishree Rao. Correlated-input secure hash functions. In TCC, pages 182-200, 2011. [Gut96] Peter Gutmann. Secure deletion of data from magnetic and solid-state memory. In Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6, SSYM'96, pages 8-8, Berkeley, CA, USA, 1996. USENIX Association. [HS09] Nadia Heninger and Hovav Shacham. Reconstructing rsa private keys from random key bits. In CRYPTO, pages 1-17, 2009. 78 [HSH+08] J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Cal, Ariel J. Feldman, and Edward W. Felten. Least we remember: Cold boot attacks on encryption keys. In In USENIX Security Symposium, 2008. [IKNPO3] Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending oblivious transfers efficiently, 2003. [IPSW06] Yuval Ishai, Manoj Prabhakaran, Amit Sahai, and David Wagner. Private circuits ii: Keeping secrets in tamperable circuits. In EUROCRYPT, pages 308-327, 2006. [KK99] Oliver K5mmerling and Markus G. Kuhn. Design principles for tamper-resistant smartcard processors. In Proceedings of the USENIX Workshop on Smartcard Technology on USENIX Workshop on Smartcard Technology, WOST'99, pages 2-2, Berkeley, CA, USA, 1999. USENIX Association. [KKS11] Yael Tauman Kalai, Bhavana Kanukurthi, and Amit Sahai. Cryptography with tamperable and leaky memory. In CRYPTO, pages 373-390, 2011. [LL10] Feng-Hao Liu and Anna Lysyanskaya. Algorithmic tamper-proof security under probing attacks. In Proceedings of the 7th internationalconference on Security and cryptography for networks, SCN'10, pages 106-120, Berlin, Heidelberg, 2010. Springer-Verlag. [Luc04] Stefan Lucks. Ciphers secure against related-key attacks. In FSE, pages 359-370, 2004. [SB94] H. P. Sharangpani and M. L. Barton. Statistical Analysis of Floating Point Flaw in the Pentium Processor. Technical report, Intel, 11 1994. [Sha85] Adi Shamir. Identity-based cryptosystems and signature schemes. In Proceedings of CRYPTO 84 on Advances in cryptology, pages 47-53, New York, NY, USA, 1985. Springer-Verlag New York, Inc. [Sko02] Sergei Skorobogatov. Low temperature data remanence in static RAM. Technical Report UCAM-CL-TR-536, University of Cambridge, Computer Laboratory, June 2002. 79 [SPW99] Sean W. Smith, Elaine R. Palmer, and Steve Weingart. Building a high-performance, programmable secure coprocessor. In Computer Networks, pages 831-860, 1999. 80